23542300x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:51.473{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234E7960897DE84444F76369D7E43108,SHA256=8CAF853DFF9EAF5244831768CA5EA0B2B84CD640D4533DCCBB8A5AC17CCFD651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:51.045{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5AE3C954CED52E432B122D7F56DF04,SHA256=9AF3E04B89AC4D7A2EC137FD6F85FBAE1577AF8D8B1D503523696A21D55C732C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:51.095{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=28178D03A7FD07A2D5FEFD42A5217354,SHA256=FF40020F56F785DD02779BDCA5394EC31F44C8DCAA6E41CDC5BAA4F4850EB503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:51.026{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:52.185{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B980D731ECE29440577120F07602147,SHA256=4E6403569FD9A4481C8DC6E87295E9B6513E3D6B47B6EC8C85D1924850092B39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:49.100{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52203-false10.0.1.12-8000- 354300x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:48.921{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52202-false10.0.1.12-8089- 23542300x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:52.491{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191761ACA6369DE90327DA9F4A2375F,SHA256=D775DA78546A5532DD9CC96612208B84948DA2A75E2C216340788D5B5BB7D71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:53.510{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827D195636FF9942B5D7D2433DAEC0EE,SHA256=4122AA554833EB5FF73987DA8CD79B82288E053F4C8EA895A8164C59270F0946,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:50.761{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BF1F7E2BD15866965CE3124AB7059A,SHA256=26916604DE711FA15086B2EC954CAAB4E036F5154C7283686DF919124A9E0DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.263{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.263{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.263{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:54.420{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF95DC38FE25723A4A1ED7074B9BFC05,SHA256=773877A6BEEB355192E4F21C643552990EAF8BB8E703429B716779EC050CDFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:54.525{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004E4A341ED22BD9D314E41B516A5BA9,SHA256=562CACE6FBB7A408F198F5958B2223F127B4B345936E9585D3FBBBDFFF3D85B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:55.654{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF80174278285DD763C2545E89E2D68,SHA256=9DA46E45C159F01A7A2554C12610E1A9C7963D641165E952FAF1F3139A10F02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:55.540{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AC265297D5CD3352A40B39742EE0DC,SHA256=3689F77D1158B06242FB3E0072EB7470471AFDA49E52E0977B44FE82447DF523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:56.888{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF3EE57B6DD5FB87564DE3F187150FC,SHA256=ACC5625A2C7695C41F90F45C29ECF33FD3181D03C8FF87F12CA3424CA6C8A797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.589{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94A2113CDF516A19C7DB42A99A499AC,SHA256=AD81CCE81224FE89BCA0E7F07C862947620E53972B47C7C6065DF87CDC5DCF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:57.935{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A453D991CFDF36E69254AE657BE80D,SHA256=4388DEE9FEB333E8707E33A95A05FC3E7F9792E25730201F2A07D215C6A54106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:57.607{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B46C57749434C85C6A4E0E23E3E2BB5,SHA256=384A43559C89400FE9AE99F05A2F30165B3DB3D6B7CBE994C9990340552E3D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:58.623{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEA7C0D3D055C839B402C2A14212510,SHA256=7F50E6957E92C86967684EEB119B94274B01D9C676E4667E5B9C6A2B82B1D0B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:56.746{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:59.637{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28329024FAD6C97DF201A07C63F15381,SHA256=2A5C8860EFE88069FF4BDDB6FBF57C421B3DDB35D37EBBDEFB4B13A8C4AFE46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:59.170{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23771DDB657F135C490BA26D8ADB446,SHA256=2DC7BCC83755056EF246CB43B7A9FB99B40790178D33B1A34937DFC2EBBE291B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:55.049{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52204-false10.0.1.12-8000- 23542300x800000000000000025496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:00.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAD5BC6B548BAB119B9A3FB4897ED1D,SHA256=0FA8BD04990254B25C858E1365B55DA6E637E910800E39177BA4ED7E8F1EDDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.706{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECF0FE1C2BA61DFE7C2E7FD9328490A,SHA256=0455C3223EBCB3A028DCE8E3B6A42A97D2D7D1A2CB9C31AB938E3D3CDFFB6A9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.536{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 17141700x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:01.972{80A11F3A-B9C0-6124-1809-00000000F001}1796\PSHost.132742704005364625.1796.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.925{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3ydmc2ml.uxo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.925{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gqdlpmkr.hsq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23120C030D5E2ECBE86B953FDD3834B3,SHA256=150E4C8F027CC11B53D85FE2566F2D806F45EF6554E154A407BAFE18EE61A63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:01.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5013970C6150912FB6C5C8F65A0548A1,SHA256=A0D7DE9404708F7606E1B5D3E657B7C6197D591CFF343BEF835790929BF0E98D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.639{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gqdlpmkr.hsq.ps12021-08-24 09:20:01.639 10341000x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.614{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.527{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82AB87BEE153B176860E32796E221CA,SHA256=B707E4B33F2A8C501A4704FC2E572F3327B1B9FBDEB667CAC077BA0EC404B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.526{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37AF03B05C8D43ABB3CA82A02A7F1D3C,SHA256=D3F99EB38DBD4BE3F5B6DBF1A8A51846CA96272D9C52570922A21110899BECFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.765{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE544B4A683B450821CBD5214E3F9993,SHA256=9CA641E5EFCBE4EF00E9C0163E18281D4BB9F95AC2EF4EBD4FBB42BBCDED9D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:02.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB08984C59DC29CEF3C8E0B9D0B2CF9,SHA256=EC35A4FA1B76AB81918A6F0DAAF669FC74FA3FFA53FF71C21FA27F801E66E0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.633{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=929BB6C52140CC41F8211E78956555B3,SHA256=D058E0B74305152002A743ED87CB68A4E7F7E461C97B4B73D5ED8A06B51979B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.175{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.175{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.159{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.159{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:03.779{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71F2B9849355B7EF75D922388DF05B7,SHA256=2DCAB6D6CF0AFDCDAE55B48F87A4C434649AFDF34EE61EE8C8CBD8DE133179D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:03.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69DE48CFF5E3AA112650E0D5E75257F,SHA256=5D0800A7F77F547F00A2D5D36DD884A1844E5D2B0D56EBDB25C0430F7AF8B030,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025508Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000025507Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005da719) 13241300x800000000000000025506Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c0-0xd69b00dd) 13241300x800000000000000025505Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0x385f68dd) 13241300x800000000000000025504Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d1-0x9a23d0dd) 13241300x800000000000000025503Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000025502Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005da719) 13241300x800000000000000025501Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c0-0xd69b00dd) 13241300x800000000000000025500Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0x385f68dd) 13241300x800000000000000025499Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d1-0x9a23d0dd) 23542300x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:04.795{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29CBDF7965C19C321482E9F221B1F58,SHA256=0B52545347B9CB301A28FE05DB35589048386EFD933BF9E14A2F7C54576B6AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:02.793{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:04.420{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C030CD6803DA0BC8238EE7268928227,SHA256=1639FE86497C0E374EB8DA22DE5649B072C629DFAA59118C5A150FBC950BD744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:05.654{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B62F35CEB49DC77CCEAB6FBD0D7B8,SHA256=985D4A92C35D6EAD5E7C8710992BD7EB4EA6F85B713EB677DC60ADCE7F64E70C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:05.847{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-9FF8-6124-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:05.810{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF2D061BF615C34B8A24162061FDEDB,SHA256=551E2836DD7595EA1E97C77D0FD03382DFEC6E80A3B6BC46CDE77CD0F20668BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.038{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52205-false10.0.1.12-8000- 23542300x800000000000000025513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:06.716{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57067BC13AB340D9A8EFF33C40F968BB,SHA256=B98449CC0193913C1B48C5C9395CB621C7540C87CB06AFC77870D88DBB539B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.862{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4875953713CD69BB8326A93741BED5C,SHA256=B2314144721D04DE70FF6157B94DADDCDF6EF85080D59D1B0D176A8FE51BE095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.862{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82AB87BEE153B176860E32796E221CA,SHA256=B707E4B33F2A8C501A4704FC2E572F3327B1B9FBDEB667CAC077BA0EC404B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.827{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1938D38A0138986B4D67904CA7AC32,SHA256=68207B7890B91950E52B1F350A9E7F21F07349AE60E337DE6F2B6EEE4CB203F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.827{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.732{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D95CF5B4CF5EBF4CBA14AAE2A5840B,SHA256=932A6C8CBA9D1BCEB11B36ABA0AE798E3B71EE50AA205C63716FEE5326FDBC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:07.846{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36D1384B0915E257529C54DDC1643C9,SHA256=0FD1A5FC0A7DB6DB9025FBEDA8ECF0B2EC855DC2C1528B985731C0BB397CB960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:07.608{80A11F3A-9FFD-6124-1600-00000000F001}12962252C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:07.608{80A11F3A-9FFD-6124-1600-00000000F001}12962252C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:03.758{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52206-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:03.758{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52206-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.861{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954FF6E6038D771126F9ADFD524886B5,SHA256=7F32BDD963D0BB182FA1D0E3AFB8D034E4A834DD1EE5F68998D2F5C000D89EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.421{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.563{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-106MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.408{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0459BB8BF1CA6F0C0FDBB476CEE70395,SHA256=A27937B49037D2F1F4ACB01D3D94AC61962DCDF46EFE54944C7CAD80EEDE4FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.308{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E8FE732A60D7FFC857B2C5297D80FEFA,SHA256=7BDA6B6C2D44772ECFB80B19AC739A73A7BA525AED2BFACE69B52457DBCF1453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:09.878{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5847D4700D2E2FEA8C3C2B9D739C3517,SHA256=C14F83CC0B05EF0D981D19AF7C5FFBBBCFEDC349655DF2369ED4CD6519B4F9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.295{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2025FECD311D844EF2BA5FAB5F0B1A25,SHA256=B65684FE61445B02412F2D8DBD5AE731FDC9379B6F864BED42723F0BB30A5053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.295{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7545D67E0D6B74E77EFF36060F6FB3,SHA256=348B964A90D07297BEBE4AC8DD5CB1659D4F27CA4FE02992C7512D411EB3B2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.295{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FB0BBE38AA22A50E8A784ED9E8D1B3A,SHA256=CC7685079A6452428AD129075B162A2DBDEFAD8B60A7A5E1D7177D81ABB530A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.248{D371C250-B9C9-6124-8706-00000000F101}12243464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.092{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:09.577{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:10.909{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0899DDE9A7F414D92E40942C1371B0AF,SHA256=3621D91A0CAD38423B772B28DA7F09181B9FE1C6510BC536CB9BD2A33635341B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99A1A2648EDD12925C95366E5DFCA9D,SHA256=619923AC0E5D339BE8089D1F272BD9D6E1577275546C0048CEA45A328AECAED5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.190{D371C250-B9CA-6124-8806-00000000F101}32643600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.112{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2025FECD311D844EF2BA5FAB5F0B1A25,SHA256=B65684FE61445B02412F2D8DBD5AE731FDC9379B6F864BED42723F0BB30A5053,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.055{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52207-false10.0.1.12-8000- 10341000x800000000000000025570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.019{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:11.930{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18AC44EABC3AC95DD2E846CC11BA5D7,SHA256=45F29792A3BE8CA6169EE5247B31695689CC408AD6507889C9E0EC7A71ECB5CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.800{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.315{D371C250-B9CB-6124-8906-00000000F101}39043176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.205{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13857D2B6C0FC6CE8C27830CAFDF3596,SHA256=8D0148FE837DE6421E1D9AD47A95658E36C06653CE7B8DC89078BC92C366AB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:11.677{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2A1002B406F55B1C13C7CF32D1958E0,SHA256=A8C54F9C4BE49BA191A247C37DC4CC43ECB8E8E586CC70BD6EBBEFCA18EF61A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.128{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.715{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:12.945{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824B7EFFF146EE9089DECD3EBB7148C3,SHA256=9BFB5B609D3D02C787DA484DA2BA6BF5BF90F81E7C9C9B47E42947EB547B589B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.301{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.221{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79885DADF7920BC866D9880912C2FA15,SHA256=06C222D820D1830745DE0630A0FDFA82D3C283711CFAD0590953CA879CC23957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.127{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE0F4935C36BB0BA0F919BDED0095C8,SHA256=F2C443339A6AE0E74E6270CC4DFB1653FC366B84D02E5E8B4D8CC5CDB3EC0607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.033{D371C250-B9CB-6124-8A06-00000000F101}2564648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:13.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34739C0614265B2FE36E7E4B395DA715,SHA256=92A57F866882DD166F90FCE9A475866A73164FD73B2D82A51343DCA760E018E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:13.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A70487DD7417A428E00F007489D241,SHA256=6C2C414178916DAE313189B46E3A8A0F0EEC2446C7530B26A99FB8BA2ACCA21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:13.315{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38216060E3FF7D2B5002133BE07889BC,SHA256=E66A215ADFE86117596FD8ACDD4779D14E94DDB3FA8A65931B298B4BEC43F3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:14.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CB10F02EA1F08C849BDE6F18B8B70A,SHA256=4C732BB36E9E4094D171F92097DDE15440A029DAB8E77120DD19BE42AFBC6C54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:14.644{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:14.628{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:14.628{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:15.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E1AB647802C6B06F4B593B3D4E048E,SHA256=3B805A608DC7FD7F09EA8DC7718883839DD1BF8D260F433F3EE0C3092F1D953B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:11.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52208-false10.0.1.12-8000- 23542300x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.006{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BE10501DBFE4E8D9B12E57220F6910,SHA256=3DADDDDDFE5B4C99D3FB8265C96B54D6B1341DD2BEEFAFB4292F12CCCDC6CF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:16.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FD704BFB5CFE5553E2736523A82F65,SHA256=C557C2ADBC7735EF38BDE2AE05EFAC30705E2F4AA6B97A276996D3D755253751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:16.007{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D687507A80FF3F78919A257D5CAEC9BF,SHA256=565038994201485E58D5E044D00B04A56E03D0529F5B9EC88556043B8DFD97D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:13.782{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:17.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4FA0B978294DAE8760926BCD5503D6,SHA256=FEE8384D12F245C334F7E7DACCEEDBDCBC32BD06F9250761DDBE288AA52AD4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.628{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.628{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.627{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E7779DD3A4EE4D858DE931A4B08A88,SHA256=A4F797011C16650912896A679B87E41ED7460D11195AB33D8F7DBA6F79831017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.626{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4875953713CD69BB8326A93741BED5C,SHA256=B2314144721D04DE70FF6157B94DADDCDF6EF85080D59D1B0D176A8FE51BE095,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.607{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.044{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D88B7CA6C606DE243A9D04E4C320C6,SHA256=4CEBA6CC8E974B41BEACC523A795169FDD8FEB39D5E6EDE690AF1F23BDF194A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:18.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202E087E7C0776204DF2630ACFA7609F,SHA256=9EC7A8EAA249E6DB9E7DE387231A174CE4B3EBAD09189CB34E6BEAC4F26D18D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.959{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000045422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BF-6124-9706-00000000F001}5788C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79899|C:\Program Files\Mozilla Firefox\xul.dll+e7ad5f|C:\Program Files\Mozilla Firefox\xul.dll+1195606|C:\Program Files\Mozilla Firefox\xul.dll+e766dd|C:\Program Files\Mozilla Firefox\xul.dll+e5e5f0|C:\Program Files\Mozilla Firefox\xul.dll+1ef0312|C:\Program Files\Mozilla Firefox\xul.dll+1a31108|C:\Program Files\Mozilla Firefox\xul.dll+1a3327f|C:\Program Files\Mozilla Firefox\xul.dll+17a86d7|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1b7ebc9|C:\Program Files\Mozilla Firefox\xul.dll+17a5738|C:\Program Files\Mozilla Firefox\xul.dll+1756d76|UNKNOWN(00000320DE9D1E84) 354300x800000000000000045417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.520{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55060- 354300x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.517{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58415- 354300x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.187{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58242- 354300x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.185{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61048- 23542300x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.075{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE53F349DECFFD3CF9E1A5C7F796167,SHA256=F109B284E462B52A36ADC50148ADBAD889B2861DE49AD0F9055D6346BE954C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:19.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290F260F73B67F4E8DAB3AE4E7A9CD1,SHA256=1FEB0F11DD417377903E76E7C812585E1CC9786901D8BF2CE90946EC58D10336,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.609{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52209-false3.215.161.145ec2-3-215-161-145.compute-1.amazonaws.com443https 10341000x800000000000000045429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.374{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.374{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000045427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.523{80A11F3A-A5BA-6124-9206-00000000F001}5540analytics-collector-28944298.us-east-1.elb.amazonaws.com0100.26.82.72;44.195.138.131;3.224.104.154;3.215.161.145;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.522{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;3.215.161.145;100.26.82.72;44.195.138.131;3.224.104.154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.522{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;::ffff:3.215.161.145;::ffff:100.26.82.72;::ffff:44.195.138.131;::ffff:3.224.104.154;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.105{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A5B0406C2CED3C368D4F9393CE5543,SHA256=CC3539B654109E4E3D0CB067E388E8F0F60D41F748BC1136EBFD838EC051D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:20.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEF0B5EFA14C9C8BBC4AA899BBF464C,SHA256=5B839DFD0C0F984E03D310F540A18BA76CCF7466AE371862A4BBFD1583200A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.738{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.681{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BF-6124-9706-00000000F001}5788C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79757|C:\Program Files\Mozilla Firefox\xul.dll+8dea37|C:\Program Files\Mozilla Firefox\xul.dll+8d2f14|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.674{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+27aead8|C:\Program Files\Mozilla Firefox\xul.dll+279fe1c|C:\Program Files\Mozilla Firefox\xul.dll+c271f1|C:\Program Files\Mozilla Firefox\xul.dll+2796eed|C:\Program Files\Mozilla Firefox\xul.dll+c2e536|C:\Program Files\Mozilla Firefox\xul.dll+c276bb|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c292d8|C:\Program Files\Mozilla Firefox\xul.dll+279815e|C:\Program Files\Mozilla Firefox\xul.dll+2797ef4|C:\Program Files\Mozilla Firefox\xul.dll+c2f792|C:\Program Files\Mozilla Firefox\xul.dll+c29539 10341000x800000000000000045440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.669{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+27aead8|C:\Program Files\Mozilla Firefox\xul.dll+279fe1c|C:\Program Files\Mozilla Firefox\xul.dll+c271f1|C:\Program Files\Mozilla Firefox\xul.dll+2796eed|C:\Program Files\Mozilla Firefox\xul.dll+c2e536|C:\Program Files\Mozilla Firefox\xul.dll+c276bb|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c292d8|C:\Program Files\Mozilla Firefox\xul.dll+279815e|C:\Program Files\Mozilla Firefox\xul.dll+2797ef4|C:\Program Files\Mozilla Firefox\xul.dll+c2f792|C:\Program Files\Mozilla Firefox\xul.dll+c29539 10341000x800000000000000045439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.665{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.657{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\cache2\doomed\18200MD5=0C58E9CFD1C20412019928463563193C,SHA256=F2F26AC5848DF1C00C361EC9958FF169A2F29C142755285AC9C5B81CB3CCA116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.657{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.657{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.645{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.641{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.641{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.641{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.126{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11734243F9B8629B69F8F7CE849C877,SHA256=0856AFD2B264436F2EC0EC1A59476E622A203AD84FA22FE75A32F203A7DB799F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:19.688{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:21.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D1D55313DA4D92CC3C3FA25989F4D,SHA256=80473A661089A18750EDFB7346A5F976DBFAEA36C9C2F4F177FA1C2A91A5AC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.859{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local51695-false172.217.23.110mil04s23-in-f14.1e100.net443https 354300x800000000000000045457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.858{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51747- 13241300x800000000000000045456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:21.974{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798c9-0x438af1f0) 354300x800000000000000045455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.522{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local53069-false142.250.185.195fra16s52-in-f3.1e100.net443https 354300x800000000000000045454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.521{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53218- 354300x800000000000000045453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.520{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58587- 354300x800000000000000045452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.518{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53068- 354300x800000000000000045451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.422{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61503- 354300x800000000000000045450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.421{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63066- 354300x800000000000000045449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.421{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54020- 354300x800000000000000045448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.283{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55178- 354300x800000000000000045447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.114{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52210-false10.0.1.12-8000- 10341000x800000000000000045446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:21.141{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+27aead8|C:\Program Files\Mozilla Firefox\xul.dll+279fe1c|C:\Program Files\Mozilla Firefox\xul.dll+c271f1|C:\Program Files\Mozilla Firefox\xul.dll+2796eed|C:\Program Files\Mozilla Firefox\xul.dll+c2e536|C:\Program Files\Mozilla Firefox\xul.dll+c276bb|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c292d8|C:\Program Files\Mozilla Firefox\xul.dll+279815e|C:\Program Files\Mozilla Firefox\xul.dll+2797ef4|C:\Program Files\Mozilla Firefox\xul.dll+c2f792|C:\Program Files\Mozilla Firefox\xul.dll+c29539 23542300x800000000000000045445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:21.140{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5682676EB52EC65DE8BD29B3DE3E160D,SHA256=27BCC557FD042C70EA243DD17F8103CB168D171A5122808C111FF1C66324A072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:21.113{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:22.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77F8AC3722A39C9387581422ED6CDD8,SHA256=276EE8815953AD279DE75D29A4CE1348EF869A49D9A1407C11AEF21A9C1CE670,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.094{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local55189-false142.250.185.66fra16s48-in-f2.1e100.net443https 354300x800000000000000045467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.068{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55188- 354300x800000000000000045466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.066{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53207- 22542200x800000000000000045465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.861{80A11F3A-A5BA-6124-9206-00000000F001}5540plus.l.google.com0172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.860{80A11F3A-A5BA-6124-9206-00000000F001}5540apis.google.com0type: 5 plus.l.google.com;::ffff:172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.528{80A11F3A-A5BA-6124-9206-00000000F001}5540gstaticadssl.l.google.com02a00:1450:4001:810::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.524{80A11F3A-A5BA-6124-9206-00000000F001}5540gstaticadssl.l.google.com0142.250.185.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.426{80A11F3A-A5BA-6124-9206-00000000F001}5540www.google.com0142.250.185.68;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.425{80A11F3A-A5BA-6124-9206-00000000F001}5540www.google.com0::ffff:142.250.185.68;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:22.203{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4690574327DC13CB1B67F5E34E833AF9,SHA256=DF03C1DA7F3DEE4209D9ED6295E6B1F3F875629DD7C2AD86BB9ACE22422CBA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:23.658{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8911DA9D1A786FBE04A6F0D059EA7FCA,SHA256=24D2A67DD90CBFD41D1707CC9962ED32C07EEA003D2B01B1216F320BA4436A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.403{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58590- 23542300x800000000000000045470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:23.687{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=4C19C1D4D846E61515B6EBD2BFE0C394,SHA256=7A2966126E883B7AEFAF001DB669F84DDB9D18F9ADBCF4F495C6C691F7A4E4EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:23.337{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F8F2CED1220D0E05E36C2403A7581,SHA256=A7F4A103EE18F6CC1C00610EE7892B1FCBDF193C52080BD5146394317B9C00CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:24.894{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779A2721BD007A6AE8F648BB910DF7AA,SHA256=E4CAF9BB719C9470779E50CC0D54323737EFC1D273F8D548B2C449A7894B3FF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.469{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53530- 23542300x800000000000000045472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:24.349{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95C56D84CD4FED19777AD76944D67EA,SHA256=F0825C7C4779E05389BA37B0ABCBF8BF94BB48F8ABCB2A93A2E263FBC7A09ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:24.740{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-099MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:25.754{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.912{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.910{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.910{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.910{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.909{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.909{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.909{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.908{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.359{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065162961F11269404967325D0744F86,SHA256=B26CDD362960617F511613D1ED3C6FD2DAE88A79F24ED61C4DEA7829589752E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:24.690{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:26.127{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C9629504CA2E1609BE63B0FC9F1F09,SHA256=E759D5A71A717C14AEA05BA3CC55F3328D801A3956FF842C5AD6712711ECCD35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.951{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.948{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.948{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.948{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.915{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DFE7C69CA0EEC7D0042D6186E00A5D1,SHA256=23668A552A98D7740A36098F3550CD4DE64F54AA795CC0792281EE469A1C6F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.914{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E7779DD3A4EE4D858DE931A4B08A88,SHA256=A4F797011C16650912896A679B87E41ED7460D11195AB33D8F7DBA6F79831017,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:22.924{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52211-false10.0.1.12-8000- 10341000x800000000000000045491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.431{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.428{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.428{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.426{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.364{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EB077B9A8863A6246AF36F1592AB7,SHA256=44FF97A1D6310E23053B0D3ECCC26378416F6337878989020DD76BCFAFFFAFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:27.348{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4C9B9BF38828071DEBBD2A9DE2470F,SHA256=42D64BB84969EA1D676B01AAAED8B1F5061C49195BBF96110DE0DBCD3DA50610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.981{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DFE7C69CA0EEC7D0042D6186E00A5D1,SHA256=23668A552A98D7740A36098F3550CD4DE64F54AA795CC0792281EE469A1C6F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.504{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=6F4FA778793DBEB159C4CD468C4F78FF,SHA256=B347E506F2EACB9895B15D51D5A9C75DFE77B3D864E28A874E9D8EACA2A1CB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.380{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308030657F7D7FD919D4C9623EBD0D43,SHA256=468C25823E6C611E61C7C98EF2FA39DE3BAC7B52A1D8F380D540E0339B8B2DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.164{80A11F3A-B9DA-6124-1B09-00000000F001}61927132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:28.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B26B5919F193ECD1057BF82715FAD36,SHA256=A7FDA746A3BF567C6B7F18E72A7EB192A0437F4A65DD76589323B9D18990D41E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.893{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52215-false192.0.76.3-443https 354300x800000000000000045539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.893{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52214-false192.0.73.2-443https 354300x800000000000000045538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.887{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58934- 354300x800000000000000045537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.887{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51722- 354300x800000000000000045536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.886{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62399- 354300x800000000000000045535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.876{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62336- 354300x800000000000000045534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.873{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52213-false142.250.184.234fra24s12-in-f10.1e100.net443https 354300x800000000000000045533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.867{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55911- 10341000x800000000000000045532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.844{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.843{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.843{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.843{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.842{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.840{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.840{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.840{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.560{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52212-false104.145.225.3pandora.digitaldatacenter.net443https 10341000x800000000000000045523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.570{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.423{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.422{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.422{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.398{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D84AD1D5AADD7F98EC5117075BE8F2,SHA256=3C8989C33D4334A8D6F4E80FEA0D94CC511D49A15035519949CFC3084E01D190,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.392{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.377{80A11F3A-B9DC-6124-1C09-00000000F001}50487080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.282{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.281{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.175{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.173{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.171{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:29.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442C271363A9B287CA43F6381A89C9AE,SHA256=9765A77654D789E8EFAEF95299F0C8B186F1EEFB469D3FC5F03B1E414F3A91A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.726{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52222-false93.184.220.70-443https 354300x800000000000000045588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.725{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local56450- 354300x800000000000000045587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.722{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60321- 354300x800000000000000045586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.646{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52221-false192.229.233.25-443https 354300x800000000000000045585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.567{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61058- 354300x800000000000000045584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.473{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52220-false104.244.42.200-443https 354300x800000000000000045583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.462{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61008- 354300x800000000000000045582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.316{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52219-false192.229.233.25-443https 354300x800000000000000045581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.312{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52218-false192.0.76.3-443https 354300x800000000000000045580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.311{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local59883- 354300x800000000000000045579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.311{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55561- 354300x800000000000000045578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.311{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63617- 354300x800000000000000045577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.309{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61749- 10341000x800000000000000045576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.679{80A11F3A-B9DD-6124-1E09-00000000F001}32005944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E958FBE4AA273E8842245622120CA7,SHA256=DA0A2CA50E69738BF8361FC1ABC412A1266D5436F847AD4978E24D9CD0748898,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000045574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.314{80A11F3A-A5BA-6124-9206-00000000F001}5540cs491.wac.edgecastcdn.net0192.229.233.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.314{80A11F3A-A5BA-6124-9206-00000000F001}5540platform.twitter.com0type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-eu.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.233.25;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.513{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.510{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.510{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.308{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52497- 354300x800000000000000045563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.179{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52217-false142.250.185.195fra16s52-in-f3.1e100.net443https 354300x800000000000000045562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.178{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52216-false142.250.185.195fra16s52-in-f3.1e100.net443https 10341000x800000000000000045561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.370{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.369{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.249{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=D276B07DB276625660072749DEFD2AC4,SHA256=A7A128768982AE24C3F68F02F119652F8E845CF6DA5E8EC62329FA6CC2114345,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.908{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local58935-false142.250.184.234fra24s12-in-f10.1e100.net443https 10341000x800000000000000045557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.242{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.241{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.241{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.180{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.177{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.177{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.177{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.176{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F50495ECF4C0B813268B2661AAFF421C,SHA256=D86634FDDE78B1AF3BA3CAB71D501111DD253A2C2497DA38CF6BD8B0A0F8EE36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.065{80A11F3A-B9DC-6124-1D09-00000000F001}42806184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:30.455{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035FA0E64EC77D46AEE5C04FCF37A915,SHA256=5861470E8C02BD84A8681B96EE911EA929EA1CBC5B69EE08628616F27528B797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.585{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60072- 354300x800000000000000045615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.584{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58753- 354300x800000000000000045614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.997{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52226-false152.199.21.140-443https 354300x800000000000000045613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.997{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52227-false152.199.21.140-443https 23542300x800000000000000045612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.603{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5263218C099DB4C818387753F075D1F8,SHA256=C2EAEF762B0EFEBC6B842056BFD6AFE53C04FBCCA75A01408711DA0F308709B5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000045611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.730{80A11F3A-A5BA-6124-9206-00000000F001}5540cs45.wac.edgecastcdn.net02606:2800:134:1a0d:1429:742:782:b6;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.728{80A11F3A-A5BA-6124-9206-00000000F001}5540cs45.wac.edgecastcdn.net093.184.220.70;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.316{80A11F3A-A5BA-6124-9206-00000000F001}5540cs491.wac.edgecastcdn.net02606:2800:234:46c:e8b:1e2f:2bd:694;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.517{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27B557D20709A81E9C9EC20A4F458534,SHA256=208EE5EC7C24EFB5CAF7A83B05F01DCFB77BB21A1546638CC3C025A1C42BDB34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.421{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.421{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.996{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60027- 354300x800000000000000045604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.994{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52785- 354300x800000000000000045603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.945{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52225-false93.184.220.70-443https 354300x800000000000000045602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.944{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52224-false152.199.21.141-443https 354300x800000000000000045601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.944{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52223-false152.199.21.141-443https 354300x800000000000000045600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.939{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62315- 354300x800000000000000045599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.938{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58418- 354300x800000000000000045598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.937{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62732- 10341000x800000000000000045597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.178{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.176{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.176{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.174{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:29.844{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:31.470{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E66A049B0D09214EE3BB406542B7280,SHA256=87A5EB419C8901570F568B0EDD8E2AA8D1B1FC9A25E2CC247E5C7CAC9B9C3973,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.119{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52228-false10.0.1.12-8000- 354300x800000000000000045619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.610{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-391.attackrange.local53domainfalse127.0.0.1win-dc-391.attackrange.local58753- 354300x800000000000000045618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.610{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-391.attackrange.local53domainfalse127.0.0.1win-dc-391.attackrange.local60072- 23542300x800000000000000045617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:31.579{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D33949E6E7D65A9212841EB551813C8,SHA256=548CA2C60755F17EBD32D531CF466DDFAA25381190AB5D92784E781FF8CEE974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:32.689{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:32.470{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856AF57287725E68EC95F90C7A712BB6,SHA256=2129E5DBA8F47D9DCBEE9B69C3994F56418DC5E28AF8AC9EDD9F13F00A411C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:32.583{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47E75ED5C8BB40A9ECA0661BD15FDB,SHA256=C88797BFBE3EA5AB1786171BBC07DF4F7E3C5A1B663E96B3861722AF04716512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:33.689{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6D6798584AB6A8FA7F28CF02601E87,SHA256=6DA8067A3E6632CB8EED961D5439E5434DD460E74CE84D105BC0D792EFAE28E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:33.586{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF6DC225FCEA7944A8D308DDD84B3DD,SHA256=EF49B3B640741179C2383B72693541BBF033E8CAA271B0AD2FEDDC9A2EFB0E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:34.704{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07762C4C04FCDAE2E16E96922FE8A552,SHA256=0A506D6838154CB3CD7942438E3D28447CC778F9D4FA9BBB980E8ECA37A4A2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:34.598{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C660E7278BDF833309E16CC0143E928,SHA256=74B7DC095FFCC2B0FB1CDFECA0260EC206B8DDA800A6666AD8B9A0D164EB95DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:32.282{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:35.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D70F5B8D7B327863E5E9CFA4DD766E,SHA256=8533D576D7F03B524D1ADECD2358CF131612B42F69D28835382FA98C1B802ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.602{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7795E51D40421750903A2EB41ADD781,SHA256=AA345CF3A8351A53B30E4FB30BF2AE5D178A3C9D173FCF565E9EDA94CA7A9A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:36.986{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F36CB9D4E2EB16E05162E76DF7447E,SHA256=DC53A8582550BAA8889BB627A1EB754602E717AD1BE8F2567381BEF455EAEF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:36.608{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514182324B7EFF8ED0B3CBA07F683929,SHA256=1A217EC830CF653FCF84C40942B6E3E8B6B192CC3376191BC5D8779F7B54F244,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:35.703{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000045630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.985{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000045629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.710{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.630{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1990343FCA8E391BB5E8BE8E5295A409,SHA256=87CD7C80905B6C852C570022F45368244DA9A7EE4592AC8AE5AB0D236FF078B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.390{80A11F3A-9FFD-6124-1000-00000000F001}4401684C:\Windows\system32\svchost.exe{80A11F3A-B94B-6124-0709-00000000F001}4252C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.107{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B94B-6124-0709-00000000F001}4252C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e75749|C:\Program Files\Mozilla Firefox\xul.dll+e76123|C:\Program Files\Mozilla Firefox\xul.dll+e65391|C:\Program Files\Mozilla Firefox\xul.dll+e66864|C:\Program Files\Mozilla Firefox\xul.dll+e68d23|C:\Program Files\Mozilla Firefox\xul.dll+c8e024|C:\Program Files\Mozilla Firefox\xul.dll+c8b227|C:\Program Files\Mozilla Firefox\xul.dll+296b50|C:\Program Files\Mozilla Firefox\xul.dll+2966e1|C:\Program Files\Mozilla Firefox\xul.dll+f9c735|C:\Program Files\Mozilla Firefox\xul.dll+17952e4|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+c8d89f|C:\Program Files\Mozilla Firefox\xul.dll+278ee6|C:\Program Files\Mozilla Firefox\xul.dll+39f83e|C:\Program Files\Mozilla Firefox\xul.dll+d216a6|UNKNOWN(00000320DE9D3110) 23542300x800000000000000025652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:38.126{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C136DAE9403995F7A2605645C29B28,SHA256=8415AFF151D3C547281FB036F1C7879DF99A9C150A983683B44244A181269FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.669{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E948AD1321D81EBEB691A1583E9CB4CD,SHA256=4F023C2C540F16772509F4FC6D93AA1AA433D3877AA8170B4DE4BD0F13C5C58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.668{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D430673AB684C419A70C2E673FAD8C,SHA256=5F6216DCEC0357481D72F09847FC6AE0FA64B63592CE6DB78E5ED09D4BD5601A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.648{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A809DD062276DA677773C0CEBB135C,SHA256=3887D8101AFCF056D86008101696B134D4A196978F4DA60A60F877AB5172B1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.248{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBD31A28A1BDDBA4C6BBA8773205358,SHA256=105A116DC5274706F4D86A5A4F9771841F00494EEF81D3794E4B4B69A93B7439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.247{80A11F3A-A5BA-6124-9206-00000000F001}55401504C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a25601|C:\Program Files\Mozilla Firefox\xul.dll+a86785|C:\Program Files\Mozilla Firefox\xul.dll+cff01|C:\Program Files\Mozilla Firefox\xul.dll+1a0b8a2|C:\Program Files\Mozilla Firefox\xul.dll+176639d|C:\Program Files\Mozilla Firefox\xul.dll+16954dd|C:\Program Files\Mozilla Firefox\xul.dll+26542|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+8d3bc7|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.234{80A11F3A-9FFD-6124-1000-00000000F001}4401684C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.233{80A11F3A-9FFD-6124-1000-00000000F001}4401684C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.221{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.220{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.201{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a68e78|C:\Program Files\Mozilla Firefox\xul.dll+a2cd97|C:\Program Files\Mozilla Firefox\xul.dll+a75619|C:\Program Files\Mozilla Firefox\xul.dll+e6e8d8|C:\Program Files\Mozilla Firefox\xul.dll+1a171f4|C:\Program Files\Mozilla Firefox\xul.dll+1a0b8a2|C:\Program Files\Mozilla Firefox\xul.dll+19e35b2|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000045668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.201{80A11F3A-A5BA-6124-9206-00000000F001}5540\cubeb-pipe-5540-6C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:38.201{80A11F3A-A5BA-6124-9206-00000000F001}5540\cubeb-pipe-5540-6C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.186{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.183{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5C6-6124-9906-00000000F001}2484C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79757|C:\Program Files\Mozilla Firefox\xul.dll+8dea37|C:\Program Files\Mozilla Firefox\xul.dll+8d2f14|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.183{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000045663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.181{80A11F3A-A5BC-6124-9306-00000000F001}1640\chrome.5540.15.123935828C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.180{80A11F3A-A5BA-6124-9206-00000000F001}55406976C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+1b9bbc|C:\Program Files\Mozilla Firefox\xul.dll+a2f2a6|C:\Program Files\Mozilla Firefox\xul.dll+a2a051|C:\Program Files\Mozilla Firefox\xul.dll+1a03c46|C:\Program Files\Mozilla Firefox\xul.dll+1a024e1|C:\Program Files\Mozilla Firefox\xul.dll+13705|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+12de8|C:\Program Files\Mozilla Firefox\xul.dll+a0c091|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000045661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:38.180{80A11F3A-A5BA-6124-9206-00000000F001}5540\chrome.5540.15.123935828C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000045660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.179{80A11F3A-A5BA-6124-9206-00000000F001}5540\chrome.5540.14.213904581C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.178{80A11F3A-A5BA-6124-9206-00000000F001}55402256C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1354cb|C:\Program Files\Mozilla Firefox\xul.dll+123998d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000045658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.178{80A11F3A-A5BA-6124-9206-00000000F001}5540\gecko-crash-server-pipe.5540C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.137{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e75749|C:\Program Files\Mozilla Firefox\xul.dll+e6763c|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a69dd8|C:\Program Files\Mozilla Firefox\xul.dll+e78f88|C:\Program Files\Mozilla Firefox\xul.dll+e672e6|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+e6725d|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+c22d5|C:\Program Files\Mozilla Firefox\xul.dll+e66f34|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55406976C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a234df|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+168795b|C:\Program Files\Mozilla Firefox\xul.dll+1a02565|C:\Program Files\Mozilla Firefox\xul.dll+13705|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+12de8|C:\Program Files\Mozilla Firefox\xul.dll+a0c091|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.122{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.122{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-A5BA-6124-9206-00000000F001}55402948C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2efed|C:\Program Files\Mozilla Firefox\firefox.exe+2e1f5|C:\Program Files\Mozilla Firefox\xul.dll+1fbfbea|C:\Program Files\Mozilla Firefox\xul.dll+a1ef43|C:\Program Files\Mozilla Firefox\xul.dll+a1d105|C:\Program Files\Mozilla Firefox\xul.dll+a243fe|C:\Program Files\Mozilla Firefox\xul.dll+8d1360|C:\Program Files\Mozilla Firefox\xul.dll+16954dd|C:\Program Files\Mozilla Firefox\xul.dll+2660a|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+8d3bc7|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.120{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe91.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.14.2139045812\1159667313" -childID 7 -isForBrowser -prefsHandle 6952 -prefMapHandle 6956 -prefsLen 16309 -prefMapSize 234501 -jsInit 1092 285716 -parentBuildID 20210816143654 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 7004 1c46e683938 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232LowMD5=FA9F4FC5D7ECAB5A20BF7A9D1251C851,SHA256=49936283672808DE852727CA17A946FC63F0DC0F7E4D9EAB800CE81612EED84E,IMPHASH=6DE9E29DFB7DEB336155C42BCB9F9A14{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000045632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:38.110{80A11F3A-A5BA-6124-9206-00000000F001}5540\chrome.5540.14.213904581C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000045631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:34.045{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52229-false10.0.1.12-8000- 23542300x800000000000000045690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.657{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EABC8BA45017013EBB4224DBAE661,SHA256=0E3B9649404FD875D4FACB94B674F50D80FA5D6CDEA5CC6F80E90C926F4AEED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:39.361{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045DAAEF9AD54755CD0468B2F74650BD,SHA256=D7DAD74B452B740DA448A6C972E4ED9E618399D2AEB0F6252ECBFED520FB8AE8,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000045689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.032{80A11F3A-A5BA-6124-9206-00000000F001}5540raw.githubusercontent.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.029{80A11F3A-A5BA-6124-9206-00000000F001}5540raw.githubusercontent.com0185.199.109.133;185.199.110.133;185.199.111.133;185.199.108.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.028{80A11F3A-A5BA-6124-9206-00000000F001}5540raw.githubusercontent.com0::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.036{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.036{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.035{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.551{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52231-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000045682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.551{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52231-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000045681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.027{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52230-false185.199.108.133cdn-185-199-108-133.github.com443https 354300x800000000000000045680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.026{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54792- 354300x800000000000000045679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.020{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58693- 10341000x800000000000000045696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.864{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000045695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.744{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B94B-6124-0709-00000000F001}4252C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e75749|C:\Program Files\Mozilla Firefox\xul.dll+e6a32e|C:\Program Files\Mozilla Firefox\xul.dll+e551cc|C:\Program Files\Mozilla Firefox\xul.dll+c8cfa6|C:\Program Files\Mozilla Firefox\xul.dll+23bd71|C:\Program Files\Mozilla Firefox\xul.dll+8baf61|C:\Program Files\Mozilla Firefox\xul.dll+18744d8|C:\Program Files\Mozilla Firefox\xul.dll+233303|C:\Program Files\Mozilla Firefox\xul.dll+23326b|C:\Program Files\Mozilla Firefox\xul.dll+d175d4|C:\Program Files\Mozilla Firefox\xul.dll+1720ce0|C:\Program Files\Mozilla Firefox\xul.dll+16eb6b8|C:\Program Files\Mozilla Firefox\xul.dll+1b8122d|C:\Program Files\Mozilla Firefox\xul.dll+17a5738|C:\Program Files\Mozilla Firefox\xul.dll+1756d76|UNKNOWN(00000320DE9D1E84) 23542300x800000000000000045694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.662{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FC84B953411F485E1842314BD9599B,SHA256=DC10304C49E92B37BDBB4AC2D8047DBA153EEE80C278DEC83C327EDEB7A52D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:40.376{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C92B92CA3A9CD9D03662E786B642C4,SHA256=367083465F3D3061ED354F5A4DBF0ECA4E2D0B813F55BE32C746CFA9EEF5A6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.209{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.208{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.206{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5C6-6124-9906-00000000F001}2484C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79899|C:\Program Files\Mozilla Firefox\xul.dll+e7ad5f|C:\Program Files\Mozilla Firefox\xul.dll+1195606|C:\Program Files\Mozilla Firefox\xul.dll+e766dd|C:\Program Files\Mozilla Firefox\xul.dll+e5e5f0|C:\Program Files\Mozilla Firefox\xul.dll+1ef0312|C:\Program Files\Mozilla Firefox\xul.dll+1a31108|C:\Program Files\Mozilla Firefox\xul.dll+1a3327f|C:\Program Files\Mozilla Firefox\xul.dll+17a86d7|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1b7ebc9|C:\Program Files\Mozilla Firefox\xul.dll+17a8b7c|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1d32f42|UNKNOWN(00000320DE9D7C54) 23542300x800000000000000025655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:41.501{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0188EC7BBEB9CE30B1C3A3706601C,SHA256=204FD661904B47697194B252A87AF610D0E3784FF3E9EAB99C5637F6EA55306A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:41.669{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6EC2B463E55754810D2D4C220982DD,SHA256=1CDDEBFDEAD39C83F2A70CA6996C554A9A2C381FBF993B3B3C2ACDEDABB2185B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:41.206{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\aborted-session-pingMD5=9528A5F635827FCD481B844CFDBEF254,SHA256=F9C7307F8CAFD47F3CDB63A1E0DEC843083B2D3B2B2380E8717A0B6845BB875C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:40.813{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:42.720{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A3B046ECC961A61A5FA9699EE28EC3,SHA256=8A98D7B8AF7EBEF298008C25A57782E0816EED36FA2B1612E7762A0A290E0EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:42.676{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5631FDF06F678C0F7B93B0BCA90FDF,SHA256=DC6ABDFCB43152114243E77E39AA01689659758264809FE43D74B56599E48C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:43.939{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4E4027927F9082BA470AEE37B73739,SHA256=20867BA6EAD48C9D40DD565BAEF0FC38BFD214FE9431312D608936FFDB2BC3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:43.681{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E3177E2B9310B1316F94DB0A61CB0C,SHA256=4DBE67D5A2F19DB63A2B6B64C9F14FF0B6EC608DBA1B0865B0BAC69B85186DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.115{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52232-false10.0.1.12-8000- 23542300x800000000000000025659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:44.939{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4811133ECCE9F56C82C0F490D8FAE32B,SHA256=C53AD0318219D9935338DD7DC72B31A963E9A0F4569322945421520F7898678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:44.688{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4762681941E045AFF8C39BEE71071619,SHA256=E7635B6418307CB6B22E8FF7A9D28FDF98FC3875A357C86513970E45434912A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:45.700{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F768EBDFD3F6C676051E31E9B0DA4B,SHA256=70EF30E4CFF704A660DFF0235649520D7AAE371998A7CCF4CB372B2998916CBE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025661Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:46.626{D371C250-A1CD-6124-1500-00000000F101}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798c9-0x523c942a) 23542300x800000000000000025660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:46.173{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EDF2C54FF7EE843E55052645EE91A,SHA256=849B7E1C18DD24451554E2F8374100D00846C7122E54C9FBD90677FAB7BC1F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:46.703{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC79AFD7D512F1C6335FFA364426B9B,SHA256=EA24187425028A9071EDF2B67B31DF6BA43CD4BCC354B7379F6B681E14527195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:47.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF0211D1AD44AC024D9C6E0E11E6326,SHA256=BC6CD68C23BABD4BEF2CF9066B4A403CE33D68D08EFAC57F6A052312EF2D56BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.942{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B87E32E2116564A96A0075881441B4,SHA256=EC456B1B9CD945707D45AC1ACA8174039E3D00F80A7B072A69A15F08ACD9CC79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.571{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.571{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.571{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.569{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.956{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796D428789661DC27873936552B45556,SHA256=99939175DBAFE36D6911C5D83DC18BDA3F3002F61AB0AFB216DE7381B45764F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:46.782{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:48.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4954CAFDFFBB763E1F9536E96D242C,SHA256=EF864424D9B6EB2CB276BD1EF524A39339457423066A47B0BD8AF9AAEF01B405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.142{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6ECA048C80D528F6A45AE4E867B01451,SHA256=BE42F491FC362B26C31CF036C064F1B8C85E6CC0CA3879B6686114DD4629AC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.141{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5C471C63A42F85F61228518DFF10EC0B,SHA256=BD45B8D7E73C5B1986B5A9E46B6A84F6EC51CF43C25AAE451071A4F24945E12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.140{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=48A80BBF15D7194C4627DF8EA7E1DBF8,SHA256=7B0252D330F4BBB87FAC83ED147B1BAFFBFAF00AB5D3C08508554F849CB145C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.138{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=678D1E2AF9EC79B1CEA5F883040523D0,SHA256=64C654C2F7D55C871F1C5770DDE7B0E144231E6E05EE13E31845135D1926496A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.137{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=FBB778D9546A80BDAA18EFD43286851D,SHA256=56C8A14C892872E3DFE73A8FE1B1D8EBF8EAF0E22D4FB45D6B044A3CEAB3BFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.136{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=DFAB101936251914AAB563810C94FA6E,SHA256=70CE4DD147D823FE42D773843690C2F0C44D2DCC667BAB42CF86223FFE30B3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=87944E14A708A41453D474A49EC5DBA7,SHA256=CFBBFDDEC134001E485B0C72A60903F436BCAACBBE1AFF229FCAC52DDE38931F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.133{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B90FE4A4650EDD186C25494EBC62664C,SHA256=A70FAE415EDCC3CF7F0C743117DFF643889AB1D50941F2FCEDCC03EC7DFED12A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:44.156{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52233-false10.0.1.12-8000- 23542300x800000000000000045752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:49.962{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C81F1DA9D8AA74BB32198BBB147DD31,SHA256=B0178F8BDDA64BB433C6DF00BB771388DCBABC80C170ED94CE3208DE95C0EADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:49.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA3F8D4EEAC69C3C239416DF6BD0599,SHA256=A0BF4447EBBAE52CE5117223E462886C04FA82A32B96E21AC9E521FEFF9D436D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:50.785{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6F18792D571F4322D0EEEFA7E3310079,SHA256=990F6F166023B612EFF945DCD7EF6071DB5A77615FFA19714B8331CB8789D001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:50.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA32DB972ABDB9A11A787309F31D7FC2,SHA256=45ADEB603E255ADF4B88C1EC6CEF18D9655E254CBD6D00A475646BEC54290506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.967{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E0FE45374E059161E36F99B77A5917,SHA256=56AF5F5761B86DF1209E42345FD5AF8896D48B0E9562AF648D86FDFDF2210450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:51.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792C02E6DBFB9C9D5AE363340CAB0C36,SHA256=A1983568DDC8973D2ECE1A2AE819037E0F9A42D63DC4B8DC4E44A33A7747C733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:51.974{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353D3C199606E8AF78C3FB72776877CA,SHA256=E500890F5B60EC1F479F633F48A02A7BAD6B8EC3DD6C8A0C1A47A3ED20D7A280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:51.041{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:52.979{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CEE53A66C4923CA7A6289004E10090,SHA256=5346D3D40EF3BC80C3C52618D6DBD03BF61F717DADE368DEF53BAB24A8018297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:52.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1286BB774877C1A5C9F3B60FA9DC8BA0,SHA256=CA8E8D1AC29EEFE9D2A5EB8AA0DEFC201D88C1235C4E76B2159D523BCE51B221,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:52.884{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000045757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:52.880{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x800000000000000045756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:52.880{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 23542300x800000000000000025670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:53.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809EC2BEAF019BE1C8C4BAB5B1452F3F,SHA256=D3BA602761C8FB1B685EF8E75B01D8966A107851F61C299130E037B46ED90052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:53.988{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DAB22B22290434C84B200993EBA5E1,SHA256=E2834417FF53A7A394F5C029272F2461407E68B269736F0304F3471F36966B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:53.894{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69EB52FC7EEB6AEB64289EE4798CF11B,SHA256=4D944D7D5002B7B7A1D20353E06EA62D6D48FD61D33B66FA771D8F02FAF8C15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:53.893{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E948AD1321D81EBEB691A1583E9CB4CD,SHA256=4F023C2C540F16772509F4FC6D93AA1AA433D3877AA8170B4DE4BD0F13C5C58E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.937{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52234-false10.0.1.12-8089- 354300x800000000000000025672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:52.690{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:54.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CB4F537087F77905EEFAB16B59B912,SHA256=74919156B621E5FD4714528EE155DB6C4F534438EEABF6CDB35C32C2E39AC749,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.806{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52238-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.806{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52238-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.795{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52237-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.795{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52237-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.773{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52236-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000045765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.773{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52236-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000045764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.036{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52235-false10.0.1.12-8000- 23542300x800000000000000025673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:55.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C242B0720D52987F495D3B535121455,SHA256=BF0A355EB6F7A853664B83101BA7057184EC91A64CD9B68F7FB02F2097553962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:55.000{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B005F0C9B514A0366D16CA8AEB5DAF,SHA256=78F11B9A6BC9CB0CBB80F08D37876E2384E80A33916CBC3A6166C3F7E46E57AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:56.008{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F606795AAD8C0947F8743B1567877ABB,SHA256=CE5BCA6E5EA02922A1FF29645314025C5043A73678ABE7DBD81952B52A0462DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:57.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67236880F60FEB848F7D7D25038AE39,SHA256=FE4525AE0903162559BE251C789902BADCCC8733BDC3E127FD0EF66DED0FE121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:57.022{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F2FCE99E313FA785E1C7A7FF5A9C32,SHA256=03EA5D2AFFD956DF8DB2B66C4A0D4AC2B751F8F5B689EECFC69742912DF86EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:58.253{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32218DAA1830A315B7878903635637EA,SHA256=B8C7DCBDA9E11D37BD4A0C57014ABB539A17788EF710C15C8ADDE776C19EE8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.163{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=BAD222DB26D230389EEBBF97E10C0B5C,SHA256=3A384733CBB5DFAC57BF25581F8A36FEA786D03AE23EA7D5C81401502F8ADA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.161{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6C82E269EE2D8027D7805DC248175F9E,SHA256=D90AF0706F56F6FEFEE9610D9A62F99BEF3DE50986246D0968C33EB6C512AD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.159{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=4608CE4443A6827BB67CFA5B650ED511,SHA256=728ECB96E9B4780BCD3614DFFB9C85A89D864C20279B400EF34EA021A3707C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.158{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=52A63FC8922CA162C396DCFE3612BCDA,SHA256=01EB74E1F7A9A9168CF849EEFA052239A70063BB00F59C08655B101BB6C73CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.157{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1DE06ACA5E8F7EF1A30D5C14938FD560,SHA256=9FEABE2624423E3F067CAFF53927E471C85EC055D44B2B4CC98BF35EADCFB760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.155{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6BB9EB9AEA5C56B2F0DE516F719574A7,SHA256=E9937CF99C71A7DC5661A526F1687E67D147F84DA992B6AD336FED97D01AB3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.153{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E6961F9F141DCE5891F9E820832EE2B5,SHA256=799D984E4F4A5DC5498E2845CB6667BD4266485E5BFD5200C26E10AFC96B28DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.151{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=19DA9FEFC9D1CEC49159DD50A5E7669F,SHA256=A5AAEEEF60BDE299318659D0A43364C40B6E9CBC80D430AF54D5CD6F1AF4D634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4915E8C911052A03794D448D91533E,SHA256=7A2BEAEB454ECD1F6ABCCA44D71DF907D60FE6507163ABFB77B8AC91549532DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:59.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E23E2D1219EE94A2F55FE826B580C1,SHA256=E82A3AC39823A365B39DD9444CADD81FB57A4CB6CEB019A4DABCA424FFF9C60A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:55.078{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52239-false10.0.1.12-8000- 23542300x800000000000000045783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:59.035{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA18C4802E322A9B118EF8173C9B7FF6,SHA256=F10163FFBB280B2A443D3C78010650A526CD5B6F9732086A10F0128BBA4769D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:00.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98AB79876CFC429B51D40EED2A6CCF,SHA256=27F12A4B6F6A2C3762D97A9F070CB7C9B0F448676F687D85A7A02DF579380E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:00.050{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EAB5D62DE5B68C0EAE7BEA23FC29CC,SHA256=4B2EBEC1A6554622194BABA182C7CBE0A5710708227CAA77E4573CB1A9D1FD4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:58.706{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:01.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A700BB1DB46578AC700F7386F6F33BB1,SHA256=212DF1E5BF7BB3BC0ADB73B54ED2445DCB5CBFF627DA9615869BD0A8D418647E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:01.066{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D30A099610EAC09478F08D8F3BED1F,SHA256=DB6CB93DF50E2697FE4A7784C2DC6FF9856FC24C238CBF3783015FF155A91796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:02.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26660909BD3C45B1B2F27B10AADB157,SHA256=C65C273EE63A89399DF794013F9B979BE76CC99A423187FE2B4708282D1C5EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:02.085{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0231FB2723786CA902F792B0F3DEB75B,SHA256=A77326A632D061105F333B1765F3B2D7F4857D6FF65CDEDC30BE3D51BBEE870F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:03.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A934A8F9A0FC34C3EECD4C59D5AA6976,SHA256=C688A113005EE0A211290662182CD58C04B82D52632813E011600BDD234E0029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:03.102{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9FF356A70F97623AA749CBC380D3F1,SHA256=03EEBD221FA586A7DC5918A57B74CE558EB29CD9D7230BC8E3B1D73E8C0999D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:04.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4579176A0B6C9AADB1084A4A2A2874E2,SHA256=DFD127D4391B39A84B5F6390AAB5FC15958AB332FB6BE56BE0275D395C80120B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:04.117{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D57045DADA25E282F10CBAD5D190388,SHA256=32F169358777A30C58416C65D17A3745AE13C5990D2E57708AE72C34FD1F54AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:05.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D334B49A87E14A629A9BC23E4AB7C2CB,SHA256=4E01FED981D57A8F2D28D242A69D4BA19FB1021A6CA2FCD01F4C6341D37FBFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:05.132{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB8DB51D6417ED774291D45BB178EB1,SHA256=717875A95CC2EEA2EB62BF99D0873ECFF3D060EDCFE9BC4FC66623F677F2D37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:06.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1114CAA62FA9B536E3601F3744D8B2,SHA256=97D564D7755ABA2800561C25335F72BDCAAF193829D2AA6304BC824A1F8F5298,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:01.113{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52240-false10.0.1.12-8000- 23542300x800000000000000045791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:06.146{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3251339385D99A7EBB5FF3827AA7C21E,SHA256=0F92D577133956DA10862C24582C46BB9E44F66E2000AD607A32650976090835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:04.706{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438E26B00C7AE5B2121C10FDB6B8CEA9,SHA256=1BE6672260F608F046D71A2D1143FED0936F7ADCDE9CD482CF1732DED6C49322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:07.161{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138A28A4B445504511247DF92E611C7C,SHA256=4362B250E9BF9199C98E9D7869D946EE0D0C1EAB1D28EBF137920D56E57619FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.313{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AA706C33530604487A8218687008D554,SHA256=1BC64720569D981AC893C5F6F215103841A7A676CC9B54E3D9BB4C7DF617AE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.213{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=C670AE5DA454D0D1D0FE21E5758DEDF8,SHA256=E941B69B2632DABB411DF581C2BD641A713E46235CE1E9B801D43BA0B094BE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.213{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=3119EEDD0F52D022F5AD3BD060CD7EEB,SHA256=6F975608BA471B15E03A3B4D4C850942C0EE4DCE32394B361E19BB0DCBC5ABEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.213{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=746FAECD01F3CCE909D6C95C2649C3BD,SHA256=540A05227E874CD970DCBC66F216FC69EE0E2B1642EF8564D5B6C564D917488F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A9C72E9BCF5526D6E0FA5C352B758FDA,SHA256=A0EFB82F495C8518C5D04304E657F0B84E06D5DAFFDDD5EC103878F3FD7EBB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=CE8E4D9F3868DF681325F3A75C9545FB,SHA256=2B5C5954361E61F61519E6DB20F40322FCAB8BABDC3160F69C00025351989171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=AD24DF1E9DCCF92E3C90CE92F53A68B9,SHA256=5B837EAAEC8417FC39BC4615AAFB43054232C1E6005A841419F6F44CB057446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A636CE91AA2AA07262EA4E4C8796A38F,SHA256=63ED1C59C2FB4372C4DDA33C6214BF46D55561359EA91FAE8C95327E8D2D7579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6314FE9AF98134A86795200565F6D72,SHA256=2672E22D5C4E5216948BB1A40733A19EFE836800B3380F8C05C49F43DCE37217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=0FB86B1C261317BA1CB69227EDE97A09,SHA256=DE057B8BF296524240FE4698294AB1DF42BC05A7BF5F01C27AD6212611B31AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.035{D371C250-BA03-6124-8C06-00000000F101}31603744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:09.212{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE04098DE6EF23774A1B9F5FC13989,SHA256=F136B4147BC3EE9EB39B136C9E1D6C46BFB53BF1762E26F55E2AAD97310DAF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7005E6B41CE91FF2AA4FD6F86FD242,SHA256=E0C5015D441D7C85FD7B01F1D95EC2AD0052D5EEF1F12CA73803547B960D70DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7B620772A90CBBADC739D17AA7727E,SHA256=A9F293CC561FAB5D4DB8CD441E2BC267B20079DDEF72CBA6F2F2C4EC43FD5135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=441E210EFCB29E306672E752767FF50C,SHA256=D5858C68BE73959623D05E91A0D5A7EC75BF3FA46C3CB0D1A03007BCB899B2EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.004{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:06.971{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52241-false10.0.1.12-8000- 23542300x800000000000000045806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:10.228{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE510B1256465A4D7FB3FBBC698E25B,SHA256=5B180B88A8C54FD9E331AE65D02D4C1D12677B1F982DC5759227448F16237DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.175{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7005E6B41CE91FF2AA4FD6F86FD242,SHA256=E0C5015D441D7C85FD7B01F1D95EC2AD0052D5EEF1F12CA73803547B960D70DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.175{D371C250-BA06-6124-8F06-00000000F101}13803964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.035{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.018{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014DFADCE23FDE1B7F78E80F75A32A33,SHA256=78BB41EE1ECC6938513F3F2F699B92DF3ECFCE42D4B2655DF0CCD51A6FA69A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:10.082{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-107MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:11.242{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254456651F8508CE840CD751430178FA,SHA256=7646F5152AACBC039A057E9AB183FF2B74842669976E065862EA19002F456A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025775Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.940{D371C250-BA07-6124-9106-00000000F101}3356512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025774Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025762Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.816{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025761Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.737{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000025760Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.315{D371C250-BA07-6124-9006-00000000F101}31443212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025759Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025758Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025757Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.097{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7329ACD1F4B0A0098487042BD6DF712,SHA256=79B4C67887695AE3D030E41D018CA28240CEE882693609E7AE53C71C40707BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:11.097{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025790Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025789Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025788Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025787Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025786Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025785Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025784Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025783Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025782Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025781Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025780Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025779Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025778Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.458{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025777Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C59060D897FF9A790A702ADC98134B08,SHA256=3807C289F42EC2C2AD2CC237D6BC70EAC39C39C2F9F7A5327AEDA5B926027E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025776Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73B2352EC95F57B8C62ED9FACF58E7B,SHA256=8D5F5557EE21E34FD75C505178E8F064B5C112EC0AE041FFA07B445179BB93CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:12.258{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA25E75D343DA90A3C600EBB2BBB4E91,SHA256=5905D020C0A97B87BBD4DD869A0D80677419782C0ACCF86C075A75D831473143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025792Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:13.487{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4F8208EF9158DEDFE691A82A6D9EA0A,SHA256=7E3FA57471CB8EC68C71AFDBC8E2C179E33904067ABE1EB8A9347598B1F696FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025791Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:13.456{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE33410641660AA475C56EAB6948BC3,SHA256=0FCDD991BA9547159604FA5F19FB1314AFE185868816A0AE12E2E3DD2CEA3D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:13.275{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B44A137C0908B5A9E6698DF9CF039E,SHA256=55887EE6D7CD688E73DD95084B8026EF468588F087D25FFF46BE1C40994C8F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025793Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:14.612{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3070EF8269014FCDC4D1BDBA55098A4,SHA256=63DDB07D6335604A38B69819208209606012C77E6BCD58B9A9FD19675E82C82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:14.293{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD191A8FD986A320DE389AA4EA598F5,SHA256=BFFA64B49D0F8D3C44F89BBC20AD86FAB8B3D9D905604D84CA111B59B4FFC285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025794Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:15.847{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33BFEE7EDF8CED78E59DB68B306B64A,SHA256=806677C54F2A0E4E6ACA47B9C36DFE1E61B66B28B1966C7F0E86C439BD8E10C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:15.308{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894B368F1A54EB62F0936351D4C3CD78,SHA256=DE227DBE18AF5EB0FD7D466455A2C96E809EA03792FDB02089F542FA618CC0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025795Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:16.972{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9742C45DBE1EAD3EA07B0F02D277E01E,SHA256=6C9FD2A12DB7B12C47E899AACAE5FEDBE23A4AFFDDB3B2F4CA62A8A9CE61190B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:12.083{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52242-false10.0.1.12-8000- 23542300x800000000000000045814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:16.324{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D567564E8D30F116A54C6375C447CF6C,SHA256=96D56D40F08251FFC908AEB1D21798358844619AB9B2ACED6FD609EB32D793A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025797Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:17.972{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F8997B91DDB016DEE57133353A1ED1,SHA256=242869546C197DCE553741594CFCB4F39E8EFDB2F4B79DEF8188B6D004D42E0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025796Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:14.768{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:17.339{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F1CF57E275FE4408E9061671E4F9C,SHA256=BE7703E23A737E7E18C32844BA5B509F4A99AD055605A6658110D61780163DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025798Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:18.972{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C79C2A94FBAE58BF81978CE2B7A7D76,SHA256=723F5C406916B5ED3F4B3822BB43335E26CD2EF4B42879CC1271DCF91CDD88F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.356{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B499166DA1910B1CE61AD9A2293B1468,SHA256=71133FEAC7B9864B83ACCDC914EA9912E425D93F4B4B987F3935C406B5A5FFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.340{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA7F088B69B7640BBA4009725306CD82,SHA256=31B56FC2C3201B689A3120782E5EC244E824F490E5F00031325E18E1A49C459B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.340{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A82CF66460A1DA451FF26AA1138C633,SHA256=D96179DB6848708F04E473A6F723E8B275605DD6C6DA4E477C9C53485DCFF25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:19.373{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE4100CEEC036CD07033346BCDF3B28,SHA256=688C03476991B769DA7083795ADF8DAE814B309029F2FB0B4BF22DFFB5191361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025799Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:20.065{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDE04E01596139CE8E0B945FA2C1F29,SHA256=F0DDCB5FF5C867496BD6AADA9683B0F2F7688CC02235E15CBEDD02A41AFB2CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:20.381{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D5951C53327A5CA0037DD94F84CD61,SHA256=61A006ACCC8B3ADD3EC706819F6C42A7DF8A29D479E8578196ACA9F6D8F6CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025800Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:21.097{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C489F335207756D9BCB75ACE24A1EE9,SHA256=552C5E806993D39882AEDE219D0BD873761FC1759C86B6BB8B9D738E67CD8F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:21.406{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35785133D0AF2D94D53138A504A2BE48,SHA256=73CC0B821752C0BB4C07FD7C4F9FB8D623B1E460F75DDFA72B502D724009079D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025802Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:19.784{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025801Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:22.315{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5897716A5905EB34D507E27503CD7A28,SHA256=C7ED6C50F073107262EBC03DB4D4342375131B398E2E9EA64A5AC6E0E5347D13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.103{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52243-false10.0.1.12-8000- 23542300x800000000000000045823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:22.421{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183D475989FE4967D549C530F2DDD604,SHA256=E2745ACEF301F4DE84292F96D6139DC1F4B7DFC1D67F896919A6DAE41DDA891C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025803Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:23.347{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A894961A4EE2EB161B576AF097CBBA,SHA256=24F29808EDC699A23D9549CC65AB6F7E9AD67DEA8DA08EC6D810621BB55816A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:23.451{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189622CA1434FE7167133DDF5C0A701D,SHA256=16FA46EC4FB8524A5947810480375FC234485D8E4DC1E693696D75245DD8FFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025804Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:24.425{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83F6886087CA6616A6EDE28C83874B9,SHA256=A6AB10C3A63C33BBC95F94DD43E9AB893EA839F71A793C73DDE4FEC64D0CACFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:24.452{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C06AAF810C78C2C04047176AFD212B,SHA256=DA3B7E569406D941ACF792647EA742C7286C0D39DE2CFA2E875662F3144A1FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025805Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:25.518{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9DDAC608137C273F66775B7BA1BC0A,SHA256=BDDACE69A24F8A5B8D4A486F1B528BFF3A29E0D63CE53D55538ACA2EF1C768F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.751{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.468{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62347C351E2D3EB1F93A1F2F87946E,SHA256=C894CA0F26C858A852D11A6F2D98DF4F1AFE6D5D91BCEBEE2204865F32AECE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025807Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:26.519{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F514B29A1A576F39FE66A789F5B33FA,SHA256=3D8D10362C5D490A74B0A959FECFE082BD47D038802A40A57881D860F514E61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.761{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8184413134770B3562111B94CC0A287F,SHA256=A42A544903C5D11185728151407E04CE269FAA989F4298A484644D06D2814B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.760{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69EB52FC7EEB6AEB64289EE4798CF11B,SHA256=4D944D7D5002B7B7A1D20353E06EA62D6D48FD61D33B66FA771D8F02FAF8C15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.487{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543992868D9B1568892B94242CB5D1BF,SHA256=0BCCC5A7DC2C96E0DF0C9F7F26E2119A673B25938DA6B5460C4C1A110F913CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025806Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:26.272{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-100MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.435{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025810Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:27.532{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BA31EE65913B583CECCF7A8EE18808,SHA256=DDA765B7F1FD2A489620502E2335860D48E67A3E7C432F39D11F2C75D71D6857,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:23.163{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52244-false10.0.1.12-8000- 23542300x800000000000000045856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.488{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EDF7DC0A30421C6D00DDDF92B9DB04,SHA256=C0103A2A7D142380E229E505D3535B8B80D62049CCD3F7993CECF0B591B8C745,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025809Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:24.815{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025808Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:27.285{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.304{80A11F3A-BA17-6124-2309-00000000F001}15846184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025811Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:28.535{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D28B0857EF1B5123FD2415596BAAC20,SHA256=8CCD08A3AE4766944756A017D2C1E33AC6F6E95EB58C9714A9460D1325740E7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.892{80A11F3A-BA18-6124-2509-00000000F001}47166832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.709{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.489{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98C78C4E0D1857893FA2A93C9B544C5,SHA256=3A662CE12EC50A890C3C84A833D43D79585B777ACF9EEB227A888E43912EC7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.303{80A11F3A-BA18-6124-2409-00000000F001}60484076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.135{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.119{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8184413134770B3562111B94CC0A287F,SHA256=A42A544903C5D11185728151407E04CE269FAA989F4298A484644D06D2814B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025812Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:29.535{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B46A769E1D0FB113EB84A60446865A,SHA256=3C26DC215CF8C4CCFDE00DF0229A1A397FE3CBD7DE28CDE962AA8C82C6DF073A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.576{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD58724A1E904280406F459C574C421,SHA256=8A27B7EC7888563F4B84E02AA3DCB70778DD8BAECFA914954BDAFF7517A4E7F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.539{80A11F3A-BA19-6124-2609-00000000F001}47886524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.340{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.139{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32D8321B6F508F5F2B371451840B39D4,SHA256=BF3672A3839B441712ECB62B0E52D82A92872365D1AF1E4C8289AC7A313368BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025813Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:30.656{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D7B170C2F3DF9DC8C7F162DCED19FA,SHA256=240E1D09C9014771D694F047270D0DCE762E5363099088D2B021A90C680B1342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.610{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8310ED4A14CA654C1AF1354CBAA0B1DD,SHA256=7AFAF67E45D9258BA6F5D99ADDC9E6262D4E7989E0A3C1A523EB377B8544CB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.342{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AD5B53D6D849ABE49434D0A758F481,SHA256=EE3CF92D44BD93BEBFC9DDCC6596F9B6C3189806AE56E5BB892A66ED798FDF29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.011{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025814Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:31.844{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88420844DF2A5CD5EA00E49F646BEEA,SHA256=46F1DC8B47880010CDB98AFC9B349341D06788546A0E1EC848AEF89B79EA2AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:31.625{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285332D0A12485FCCDBF6B1A79D28AEC,SHA256=8BC02BC4CB43FC12758E3711A6E63E49A72506E854E768985AFDA172430A86E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.985{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52245-false10.0.1.12-8000- 23542300x800000000000000045900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:32.640{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503C52CA6E02938CC6DE97446044C00A,SHA256=32738676F157AAF035F4E44979C1EED63EE59E758597E89BFC2D0E26DC8BE9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025815Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:32.719{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025817Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:30.672{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025816Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:33.078{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91D488A65DC57F2F5DD7B94C8F4CEB,SHA256=F168E73EF136A3D1F91B22F0BA41A89724CBA36AA7FD566DC47D6C76C20D162F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:33.642{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1C4229C33E10E30678746422C6D958,SHA256=8027A2215D0F984FD14CF46C5088D0B25B59BD936A72FF28EE9E85BE84DFBC56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025819Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:32.313{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025818Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:34.297{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE791C40BCCEA1B746A2A49472D59A3,SHA256=1FF0DC9ABBD4E79635BF07D4EC6FFCA4472AA4776C892EB0C220B3B589946627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:34.657{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA5992FEAE716E2DD22326E34BBCD8,SHA256=48F23E2B37755334FDAD23A82ACBA3121D4F014EA7CB26D95FCBF4E8EF13FA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025820Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:35.531{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896715A849CA3A099571A6105E48BFDA,SHA256=8847BCE8D354DFCB4D9D3B36D27DB43239A2EFFAAC0DDFB501ABC5A92B6D050B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:35.675{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369876997B3F708E782C8981859AA607,SHA256=739AB01030FFA5044C558DA49881CA8825BD7227ED7204EC618204496AA988B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025821Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:36.656{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B745C02F0447BF80120335023F13FC70,SHA256=F459CEFAB4226CC080C45A2DF248BB3F353A9A7AA41695FD9511C2EF8C5F5C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:36.693{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D374F6472E5920F90D29B62A2ACF207,SHA256=348D384F94922537402EB110C468F290B606F79B1A60AB03AB4BAD63D0BD0EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025823Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:37.891{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F39680F931227420C0518FE3862B0FC,SHA256=13A40E8D1F19136BAC3C72358703BB3C41BB6671D8FBDD8BF806FC7B61ED2C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:37.724{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE68690A9409D885A20580163E0BD2,SHA256=BFD18FF311489FE20D61419D1A91BF0C9D60771E0153000A85122E8669B3E09C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025822Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:35.719{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:34.984{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52246-false10.0.1.12-8000- 23542300x800000000000000045909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:38.739{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F581B495CCAE4121F68CC32EA29235BE,SHA256=E16E34E15AFC5ABA10D2A9290BACD497A7B48F7E55777F09BBCCBD1AE7392EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:38.692{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7578059434605C928880A042D1EDA7,SHA256=A5AC9ABB6AF3D042472BE5ABFAC661072A75F7135C5323E2E089083B5E291237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:38.692{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB052D71DC62553683649A895B814259,SHA256=71EEB156943D7B60C418E08F6AFC8FEFBF8CC07E8612FCE2BD1EE0A97767F45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:39.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B4B786FBAC47343401CD8C2EFB86E0,SHA256=5D395FFFD2C6A83CD1AB9F0D00C069757D4D6C6AAD78C9A76B4E6C3F6DA9BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025824Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:39.031{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2CD40F92C665FF2BDB93BDDDD4012B,SHA256=594007B1B5F54E3510F6DED80E0D46A9ED14B004788B017BB4FD924BF9B931EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:35.568{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52247-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000045911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:35.568{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52247-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000045914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:40.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DCFAF29EEB2A294C50FAAB968CF699,SHA256=610BF1FDFE7E202A6A3DD8C5A8BAAAC013D67AC49C80AFB8C6AB2E5B4B464D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025825Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:40.031{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73174A07698925F8D98E683ED532009,SHA256=CB6100FF5CCE668BE92FD8AFA8A5950427C71FCDE33B8B37A07C133F9ADB40ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.778{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434F26CA00689391592EF824D60D006C,SHA256=54C1169E3457EE2D4B0CE7137A4E47773722A419C7CEE5AAB1F8B9132976BE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025826Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:41.031{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C1266A58A1EE2F39F8FEAE4D714D12,SHA256=5A07FF716AC590F3679659CA68B60ACB6DF5578B4AD74D0CAC89080D410EE30D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000045917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF663b43.TMPMD5=042017AEE2A6D70371EA976ED2DA549C,SHA256=A6CD906A79F3CB66129A7F4540F5445EA9A7BE4AFFAAFD6FA65B44CCD7E0A3F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+c2d3db|C:\Program Files\Mozilla Firefox\xul.dll+c26192|C:\Program Files\Mozilla Firefox\xul.dll+c2b7d0|C:\Program Files\Mozilla Firefox\xul.dll+c2bf2b|C:\Program Files\Mozilla Firefox\xul.dll+3b9291|C:\Program Files\Mozilla Firefox\xul.dll+c2ccf9|C:\Program Files\Mozilla Firefox\xul.dll+c2fcb2|C:\Program Files\Mozilla Firefox\xul.dll+c2c716|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c0d1e3|C:\Program Files\Mozilla Firefox\xul.dll+c0c3d5|C:\Program Files\Mozilla Firefox\xul.dll+c12c4b 23542300x800000000000000045920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:42.813{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF880681D4BD3EC9ADE9C34079639423,SHA256=3262E9FFD4056392767BBEFC7C3A1300A48A427810E28AFAC3D0BDB0EE93E3F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025828Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:40.766{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025827Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:42.156{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97C53B8EE5F6C4EC8D4240E0C549BDC,SHA256=7D5C353B10164D9B25FDF9B54C1C669362203436ABC0FDEDB79C35E4BB99692B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:43.814{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B502621B3C14DE063827CBD50E32B14,SHA256=2EBF83283A28D784BA119EA724D83610382E05CC43873B2AB5E54492256433C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:39.985{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52248-false10.0.1.12-8000- 23542300x800000000000000025829Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:43.156{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB034D56F9FC3F7E009D42E7EF8DAFBE,SHA256=A6C1AA328C86270EB89E763277171AA9833AEA1156A2BDA6D4C2259B98F72407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:44.830{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B61D8B7DA3BB2282A0F8D1613956A74,SHA256=0B4581C3A430DDDD9A3DCBC120FAA6C3C4EF194741325685EE444FF7C9E52280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025830Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:44.219{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275B8962310C50273B4A8E8E8E55898F,SHA256=8D24C512C307A96EFDEADADA75406FFDF1370B960864464B86A66A202DCB40C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.830{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E01B578DF239C842085CF2E28412F81,SHA256=48CE0B8D2A26C57681AC38786815783492C5155918C51C4D437B946AE987DC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025831Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:45.437{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F73666934A5E293903C273872B70B1,SHA256=15C5A7D35550316F71C78ADA08E8EAE69A33184CC19DE0F6E829D2A29C3B64C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.761{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.761{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:46.831{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676357C7912634434A1072C87DB3C47F,SHA256=C9E9876C28A4D026FBC97BA764435B406F7C8569E38A5E441153363B57CADC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025832Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:46.562{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC725DADE82528DC7D1144AA21C60FD,SHA256=113C8BA495A54FAAEA5CCC11A9F53911735ADB8C6A087C5F4C545B54F19417C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:47.861{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CDB411ABBC62703DC787B7E3040618,SHA256=2CF7A6CD831E1C757F074E184743C4F168733689EFB8EF2D232A1AB1175BDF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025833Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:47.625{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E41F418073C9EAB8B71357A7B898E8,SHA256=DADAA33E21BF2E9D2ABB93918663DD95D987FC1EFCBED0E863392CE39D8FC54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025834Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:48.703{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FB3DC24747585320B174B3EDFA8D5A,SHA256=0FE9B7A0143B5C09C8DF7C3DC0E3ABDC5CED0145973F5A1C04AF20F6E9988B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:48.898{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B572C73675DA3506138B2B26A629D90,SHA256=AA24B6EC5D0EE15FA011CA69EDEA7C3602EE99D1AB4472930F0BEEDFC8336034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025835Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:49.926{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E31E52D5CF9BBE071945E8661263CB,SHA256=A7DE3BA9EDCE8499B10945BE2A2A40E43356FD92076FFAC445375EEC98B32A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.929{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D1F656411BCEF556B62D81A6238708,SHA256=F36DFE68A2A2BD336119E6D00E642C2CC176EC84C8B8652B6C07CD8075D6DDF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.813{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.813{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.813{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.713{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.713{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:50.944{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9FE86FEBC82E2C275BAD093A7A786D,SHA256=4BC80E776EBF9EE9BD514759468DC449D346F73C43868C1C6A2EA818A37A8E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025837Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:50.786{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=09C63A31FDB51643A00D752C0DBD4EFA,SHA256=2A210630E7EF88A47D25D49863C100AA76B3B4479A6AAB4DB2FFF34C41D19088,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025836Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:46.672{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.974{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52249-false10.0.1.12-8000- 23542300x800000000000000045943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:51.959{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0FD67B2EBE3CC39AEEEAECB24750AD,SHA256=80A4F0593D4D13E21745A500CED9C75854BC9FF274DBA046C80E697525DFDC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025838Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:51.036{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8CA343345438A732BD26A79EDA2B0C,SHA256=45DB8259BFF2AE3D97B921C8DA9EEB416203DA08A01851A8B4F584D9D9842754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:51.059{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:52.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E4E459B13F814F0EAE8E8F24223BF3,SHA256=214CFD0385D71D4F08862EE8D64025FA35FF315902492677BFFFA76552E62258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025839Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:52.255{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039C6BE84C79698F7E066F78A7212439,SHA256=7558709CAECDEABE4FAF91DA7589EDF8415B2928FF0C51C409403BCC1A8F8477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:53.995{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A211DF2485161C2AAB49BB595C6722,SHA256=CE0F02D187E3C28EFED14DF73DC95D066FD5620CA1B5E754FA568D13182353A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025840Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:53.270{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC34A38EA530785DC3F95AB5DCA9037,SHA256=4C6AC654BBBBA4BBCC1F86D1620C37482418646594978848082B6444AD99B655,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:48.957{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52250-false10.0.1.12-8089- 23542300x800000000000000025842Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:54.426{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8CEE597CDC1F1CE4A05DB7F4FC8152,SHA256=3B21A77248AB8558E1D3B0DDCDDC62F532BC076F71D18AAD74C888BF4A0E9D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025841Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:51.849{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025843Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:55.567{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881F87BF96422ADC2AEC263AB5965E76,SHA256=74069A411B9FA42962E4B3965B0754DAF3C66DBF7BA2686A97D4C5C71F1091D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:51.087{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52251-false10.0.1.12-8000- 23542300x800000000000000045947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:55.025{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94915BAEDFE0315C60EA4D61670ADB6D,SHA256=8E3F8871D0FD4330DA86AB3285C4A084F158C34E7D942A1ABC8B6064C46CC6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025844Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:56.567{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F496E31D84DD8D1DE93AF86D78867D5,SHA256=4C5D2968C0686F8E53D1A9ED0B798208543D6512D4818BC1D3DCFA0222D28A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:56.056{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888170655EC3707CDC53D97146A613CC,SHA256=0CA8DDB93616DCC5826D15657ED2E86A9519206661FC5BC900767BA25BEADB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025845Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:57.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA30D76D9FCD9811EBC288CB73E512F,SHA256=AFD1222A48FFE23637C221F1D249B7BF8C63DF3AD3C6CC96F76423B938FD79C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:57.078{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86E7ECF97863FC21A266759C4E49211,SHA256=4CEBFEBD09F069DD8F188B552550918719514727A13CEBDEF19F598A78B80FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025846Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:58.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F17E1717145446D0683BFC916DB19A,SHA256=2DA5685F2D6E977384F6595C1BE04FDF291CEDB5F7E70FBBC52B39FAE08E3955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:58.092{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B85FCFDEA96D2373621AA81280B14CF,SHA256=6AD87EEDCBFFA607FC5CFFE59E1389440972F1E3ECD1AC3C0A13E9AAB22D97D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025847Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:59.801{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E04F1AFB1F4A0D45F59E0183BFB7B0,SHA256=5AD2C59DA6587D39A6FE50EF6D9C92A028C5DE190EBAFEEF24CF04B4CD220DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:59.154{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5A2A6DAB3C3D5204FA1DED1A6C08B1,SHA256=D21F0FB29E002D4DDC878FC7323A9E35CC3783233E1BFF6FA4DEC4B09B3F7DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025849Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:00.973{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C9D6336A0BE3E6A34D7963C470377E,SHA256=1BBB1835FC71BFA7114A4341AD7CF4D2DE1B1BC6CFDC5C7388C55259BA6E38A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:00.155{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FFF8D9BBA3622E01748577BEDAEFB5,SHA256=B75ABA1C3D5A0D26F0D6989A1242D9A53979FE802740A93E07E2FA414A280FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025848Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:57.630{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:56.106{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52252-false10.0.1.12-8000- 23542300x800000000000000045955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:01.173{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7FC393F7AD09D41C68DE9673B995EB,SHA256=415B60973A050F364E5362493906AF02B8FC4FD977185A5697DD7B8F2BB786D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025850Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:02.192{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFBCD44883AC518A010EF6AC1BD3484,SHA256=F6EF447EA0517B9FBB64FD9AA35C2F8440CAAED3D69C5431B2F7C0A547AAEBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:02.192{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935FD03973E69C6FB44B992532CF8BA1,SHA256=750BDD0CE756EBEE74D7763FC74D98CD7264404EC8F309BE3F628C3F3D64C5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025851Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:03.395{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82F1C2FEB8F7630118D92EC990BBA44,SHA256=B3144BBB553C239A16C036943EDB312D4D10369A4B4817D034E5E5B6F5998A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:03.207{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1FAA01562B36006D8B81A5C5A63EAC,SHA256=7F5B8E7008D2B1ACD8C074622B41A8C7336D3E4018F632DDBCDD738340230558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025852Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:04.395{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1E87FEA1124E50BA7714D06442FB4,SHA256=E1087A4770D03A368B481C0D1239EB5284E68502C3DC14F91C003BE5BEBE2F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:04.208{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D78DE34A5DBE1354910F6DF9436056,SHA256=2AC6BCB1A806B9EFC05A628229A14B016E4C3CF94C1AD4DDA1988979F2275689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025854Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:05.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70E6008976C9A1093C021CD77AF2BEC,SHA256=4D34193D5ECD479764D1D20DDE33135E6F0A595DE2CA81A4FCE5E7D2CD81BB83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:01.968{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52253-false10.0.1.12-8000- 23542300x800000000000000045959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:05.208{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25B38D05AAC7CFD1F20E37C151FDB9F,SHA256=884C7E7728A01FC9F4733ADB7522CAFDA9CA8B3E839E1DF91CA6323E874C4804,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025853Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:02.661{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025855Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:06.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1A92B8F7A4A0EA24C68C153816B4C1,SHA256=A16EDCA12D1351B3701CDA67ADB39CC0075EFF42F7A9475A12E6DB1F9C1D4D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:06.208{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D2DD82E7E42DED1CE229148B118C88,SHA256=E09B407B662547F6DA14FEAA272B6140EA79D3C51A58CDAAB3490AF4DB75E48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025869Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025868Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025867Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025866Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025865Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025864Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025863Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025862Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025861Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025860Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025859Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025858Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025857Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.849{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025856Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44CE17507DE160E2A18BEBB24CAE7CD,SHA256=1E5EDC65FF6CEC434571CB9B383858A17EE2D4E6C61907590203645E1CC97764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1EC969CDDC080FA0BDF11430DF09D816,SHA256=E7D28D01908750FC1A53A3601E18BB9DA643814126D4267496FA1A595DF872CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E5BEB2B67AF7AF8A216CE1515B53A493,SHA256=64203FAC6D1A8817FF9CAD75220AB23213CEE909986EDA47AC65BBC3A0B9B81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=EFF44F3238E731103F0DD7BE6332E536,SHA256=AE35F1BA8695E7D58A710BA1D14B341FAFC68C84AA3C274E0F072CE97D3D6FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6BB11C2F05A4A3DCD6C8FAE3AED72D76,SHA256=6D78FEEDAF6E344F256D76483532A324646F8A2835375684E11837F99F52CAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=C1C9E779A9CA8690362402CBCAABC7C5,SHA256=CC128B11C975D8F748AD1EE73B5314FAE4C58AAAAAAEE1FFB3C18DC178B52E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=EF7E24F067F55022412D189B8006090F,SHA256=D6626A71D8B321917AB90F0CED22E39C2BDF6376DD6DB5E01E6250055DBF0741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=F0FA4BF16E96679406AD9C23E9DF525F,SHA256=7DDF25D6C61BCF27632BB1877291BBD242B75C9067F984358F03212C6179E6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=53142808DA16B451262EB7F3668844ED,SHA256=57F06C2F1098FC996FEE0750F0D87A857EF01D74FB0D3EF2F0878A08F327745E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.238{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD097678F6794FBA76981C58E56E0AFE,SHA256=1EC5EC9355B2684170EC83C542265CFC8FC2B42E0CCF69B1AA7691F59029C54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:08.321{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3288248A84EFBEDBEFA64BD4C0DBFE62,SHA256=AE58E1D8542178B44197F97BFB308B07D73949E25CC849CD551B891B84BC3255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:08.253{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97EB6A847B9F0886719448DB45324E0,SHA256=9747C8272871BD24FB454EA2ACE8ED1987328449CFF5849A8D202CE049461D8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025882Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025881Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025880Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025879Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025878Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025877Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025876Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025875Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025874Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025873Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025872Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025871Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025870Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.521{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025899Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.208{D371C250-BA41-6124-9506-00000000F101}17002852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025898Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025897Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025896Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025895Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025894Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025893Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025892Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025891Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025890Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025889Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025888Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000025887Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8A5BDBF5CE6EDCA66E9408B346EB28,SHA256=4A6A5F9A36547E3B579815BF8E971E4DA184577FE2CFC4AC8E4A525403D50689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025886Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025885Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.069{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025884Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADD21D906EAABA0E104D0F21D4F082E,SHA256=D0B6A48B27F1F0BC7285AC1FAEC48DB23C8F8A48114D54BA4AEAC8A5B24A2DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025883Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A733AC25BD9BDC4C543FBD7AB5C5F714,SHA256=01CF2B2CDD23A415DDEC8D5750023283C0B8EA79B17E26D2ECD08375741A5FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:09.270{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7915D305E87DAE59A11451748561E4,SHA256=E410185E002D3EA5E96E6FD4B6F36B2D360C87022D21AEAB8091B7F430CDF797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025916Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.849{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025915Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.288{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8A5BDBF5CE6EDCA66E9408B346EB28,SHA256=4A6A5F9A36547E3B579815BF8E971E4DA184577FE2CFC4AC8E4A525403D50689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025914Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.273{D371C250-BA42-6124-9606-00000000F101}31202848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025913Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.210{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43A505DF645CCB2B798C7587D2202C3,SHA256=4EB3454BE25E65605766E403F7B72837874A0151068B452C409D4A8B3ECC0C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:10.274{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C58AAC454CC1ED2FE16B39E36D8333E,SHA256=2D047A91998E7C4A1C1BF822AD7033EF766977DF270367A043FD26634E743EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025912Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025911Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025910Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025909Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025908Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025907Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025906Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025905Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025904Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025903Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025902Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025901Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025900Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.039{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.035{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52254-false10.0.1.12-8000- 10341000x800000000000000025944Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025943Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025942Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025941Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025940Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025939Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025938Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025937Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025936Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025935Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025934Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025933Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025932Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.836{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025931Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.319{D371C250-BA43-6124-9706-00000000F101}20682368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025930Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.210{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F24E729BB5AF2B37038BA3C24794F27,SHA256=E010A7FE93EFF7F3B27D8B7AF93A83E2BD5209598FFCEE117ADFB2FB55F8BA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:11.625{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-108MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:11.292{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643013E3A6F4E6A0292864763939F653,SHA256=468C1CBDBFBCF693405E908256DCF4D494D77F31BA6B98E2635D69840124AC4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025929Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025928Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025927Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025926Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025925Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025924Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025923Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025922Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025921Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025920Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025919Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025918Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025917Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.164{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.508{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.398{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=697479A7ECEC40BDFE52B647B949B806,SHA256=7604290098AC07F51CA350D1C9BD4B1966941BBFD92BBBD180C713E76A50E71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.226{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655E93B7411FBDB745461AD2B30C4580,SHA256=603F95ED4F6B5DF7C1DC5C7A926C630F819F7E281DA26BA41539355309D11D97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.806{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.791{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.791{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.639{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.307{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDD2744E527507DE3E565CB8624E369,SHA256=BDC5326CD60C04F0EDA218541E2CD32497421B24861119B63EA892EC348398E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025945Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.991{D371C250-BA43-6124-9806-00000000F101}8842508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:13.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E159B907BEB9F208390F8B09E1F717E3,SHA256=E1361EE6A423B09B2D1F7EEA8EEA8BF52A6A16B0C220D678A0E8AFC381B62D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:13.241{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483567719CF60F2CD831AB4128DE18A6,SHA256=DBECD3AC9DBD44E4881E835411C4F2C5B2FFF547FFB1A62DFA2ABAD61E8CFA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:13.321{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465A5AFAF6E45D735C1F164EB0DC1115,SHA256=0D0361C20E5AF8E3C9CEBE549831626F1D8C056940B5C0FD14898EDE7D5672F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:14.413{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E64A574E59B1670DBCC1C35F0E2669,SHA256=51494D5685BC1CAC63F2A29F34CDE28AEDA455032044C8343CD9BBEA9BC8E969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:14.352{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65422C2C7E213C2661BE180B804FBDAF,SHA256=906BA1FE93AF54CB524B82D08F5AAA34AFE0D9DE39174E175D7DBFDDD523B242,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.851{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:15.585{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5876A206B08E7298113786984F4ADA89,SHA256=A41E057CB7C5C24CDA9A1BA2751D313239215CBF2C459C9BD22244A241E02583,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.082{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52255-false10.0.1.12-8000- 23542300x800000000000000045985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:15.369{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E719591E196A8214CE09F99328F09D1,SHA256=ABBA9EF5E8BDB67EF8A6A9E099F3BA062E2E4CE7327CA05264A50C8463F89EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:16.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0581BAB43975F26A31050FD7519996D1,SHA256=2B3FA3B0A1C5125FF2CF507A6D2F5AA22E883DB69AE179EC71E4EF99755BDCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:16.387{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162813C881E06DB7752BAA1C55DA8164,SHA256=406BC625A335459C5114209472A31F84E8302C2EBF7C9F3E9FBB785A343AF78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:17.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D254FE86EE1CF0773CF9D835F81D789,SHA256=6A5FA48EAAF0DD5DD1D3398EDE4DCFEBA5E797B1A245F382D34598E0B553349E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:17.403{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AACFC7063DE9F6FA44075D83ACB470,SHA256=4E6660EFC5FC1757F6C866F10F39429E0B3123994998ADEED2635F0208C3B6AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:17.334{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:18.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF91E794CFAEC25410BC984AC0E59D3,SHA256=12147D848914D506D85A515003467D1483480E310324C026C4E0BB9A44C71B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:18.418{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D28FF75A7475AF10D78E470537CEA07,SHA256=C48D011AFAFC3B67F2B16DEF232CF094B9B40A7B5241E52E93544ABC45C0102D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:19.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67209E45BCC97F1C91E5A90E0F306A0,SHA256=2C0EC6FB69397DDD92F1AABA6D15C225443AA1AC0CE510DBA6CB52DC67BCA628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.448{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBED47516FD8123EAE2B65A65F976011,SHA256=EA503D11ADE2BF20B3BD7ABB1BD7B9E33796B1F72751139A84915BEB135C39F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:18.789{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:20.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008291F4BE7534EF832458A0965B20EB,SHA256=3D02BC5DD7483031F256886984CAA67BAD3A7ADC6D8A18A9C13454B99C87F742,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:17.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52256-false10.0.1.12-8000- 23542300x800000000000000045992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.449{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A30E4E7B51886DFE74258537E29BEC,SHA256=70728E7F8111442F54565947079E27A5EDE7D665359F263D1636DD631F5E7C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:21.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C9B338198A4EA8EB54D3FA3B2381AD,SHA256=654728E3A721DAF7811ED5CF5BEAF8ABCC98324F558E1CA2B617759BBBB3F33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:21.466{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77DEA8075F3752BE8054A049587439D,SHA256=4360E60A10471BD7DC4866BC37245C576CCFA22FA921ADB2A83FB2AD0843E167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:22.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EFA5A84E00C9A6798662B6E72251B1,SHA256=98D17E65A37A9FFDC926CAFBF673C11AE721DB9A12DF9F088396A59321490560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.618{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.487{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25E709BF3DA9B9AC94D41EF35793EF,SHA256=47DC585C10DFD2FF38A2182AC151CF229C1A22D1A419B6193A3F2CF4564EC262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.387{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+c2d950|C:\Program Files\Mozilla Firefox\xul.dll+c2d2cd|C:\Program Files\Mozilla Firefox\xul.dll+c26364|C:\Program Files\Mozilla Firefox\xul.dll+c2b7d0|C:\Program Files\Mozilla Firefox\xul.dll+c2bf2b|C:\Program Files\Mozilla Firefox\xul.dll+3b9291|C:\Program Files\Mozilla Firefox\xul.dll+c2ccf9|C:\Program Files\Mozilla Firefox\xul.dll+c2fcb2|C:\Program Files\Mozilla Firefox\xul.dll+c2c716|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c0d1e3|C:\Program Files\Mozilla Firefox\xul.dll+c0c3d5 10341000x800000000000000046000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.134{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\protections.sqlite-journalMD5=36EF19DC78839B600FA39CD0D24EDD09,SHA256=2A6065A9E6BCCEB9F244BD8C30ABB169897D27330160336FD611E7E4C367CEE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.072{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52258-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000046010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.492{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55511- 354300x800000000000000046009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.490{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51856- 354300x800000000000000046008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.404{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52257-false192.0.76.3-443https 22542200x800000000000000046007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.353{80A11F3A-A5BA-6124-9206-00000000F001}5540analytics-collector-28944298.us-east-1.elb.amazonaws.com044.195.138.131;3.215.161.145;100.26.82.72;3.224.104.154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.352{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;3.224.104.154;44.195.138.131;3.215.161.145;100.26.82.72;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.352{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;::ffff:3.224.104.154;::ffff:44.195.138.131;::ffff:3.215.161.145;::ffff:100.26.82.72;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:23.502{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F02800AC3E5A07BE3D6BF336148157,SHA256=5C9835CA45759D62564B69A3B5D0D4EA721FA75080B61B2B804678C584D4E2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:23.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC341F89D2EBE9DD6C22084BCD58CD92,SHA256=A957FF2565E8532BF5EE3B635F66578165036717427F2B6D4DD08D893A4826AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:24.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074A7ABAFE344C9223785D65B37ED11E,SHA256=E0A43E4CFE394E92CDC0960501BD2D4F1F5B2E4B62CC53FF547E2015770CE412,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.439{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52259-false3.215.161.145ec2-3-215-161-145.compute-1.amazonaws.com443https 354300x800000000000000046013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.350{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52005- 23542300x800000000000000046012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:24.517{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85338CA0EA923DB69E4A4F346ABC400,SHA256=614A32C04B55ABF9A2874978978D6CF012DF32808D53A8AA488C40A9008C9D04,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:23.805{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:25.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B6B2CBCE6D9521EA1072B941C347C9,SHA256=CAFEF1E9CC12EFD26357D7D691DB4C979A28B7593FDFE9296ACB2541303A15DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.769{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.767{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.767{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.767{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.766{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.766{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.766{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.764{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.164{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52260-false10.0.1.12-8000- 23542300x800000000000000046015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.532{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD964585BCBB4449C0C6D1E4416CBA3,SHA256=44C7AE6B1D74E74D7DCF9140EA6FE392E3C7C0950A62F4125BA579B791E653ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:26.616{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03CCBD0DAB97FDF069DE1BC63E7A6D2,SHA256=B5FB61DD82639D2BA242A35C13F7D57FA219DC63FAE24FD2FB14C631C39A379E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.769{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D8B8E6C3C90C692007391FFCD00E73,SHA256=859949B8D92E3FFB01BC94C219016DCED13A13C58FEC0053E862A3F44CDBDB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.769{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7578059434605C928880A042D1EDA7,SHA256=A5AC9ABB6AF3D042472BE5ABFAC661072A75F7135C5323E2E089083B5E291237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.547{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00543BE606CD5B719C529955E735AA8,SHA256=4D01D8A924ED02470B98BC4555049F6415AF9155AC386A8897C5980667E57C33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.432{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:27.808{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-101MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:27.650{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF106DA67A23862DBDD8CAB351353E,SHA256=473CD1D79C971E8DD0B7FF7D9AAAEA275A90F1E13BC849C379AA791C8A5359FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.568{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC01DAF769E0F2465634F71ACAD1F48A,SHA256=AF1794812F110C4940C75D9BE294163451457878643484EF70E012FAD80990DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.284{80A11F3A-BA53-6124-2A09-00000000F001}42964076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.116{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:28.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36700D532EBB3F1F3B9CBFE7B39AF92D,SHA256=4C893E6B998F709898D30C378831CF4270B2E256DDF9627C23A256F8923E9F51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.944{80A11F3A-BA54-6124-2C09-00000000F001}46126284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.799{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C48A22B7D48B7A79DC6FF6A17E1363,SHA256=89CF2307E36C888B4313BE3BD4191D8170748636AF939912152D07402BF7F581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:28.818{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.298{80A11F3A-BA54-6124-2B09-00000000F001}71447040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D8B8E6C3C90C692007391FFCD00E73,SHA256=859949B8D92E3FFB01BC94C219016DCED13A13C58FEC0053E862A3F44CDBDB8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.131{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.963{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.963{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.963{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.671{80A11F3A-BA55-6124-2D09-00000000F001}7121152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.597{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D35E96C9062110C01812D620249F5A3,SHA256=76CF405E09B6785EAE74FA23AA58F6606C896B795452399A8317BFD8F9684EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.497{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=68A91F749068932505C4C4DDA9BA8ABE,SHA256=1B3FF6E458916DE4D249D9BCDB17208F8788F39BB9090D0AC49FC7D378E97AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.464{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.461{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.460{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.144{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1720EC096C7809A6E08920748DBFA3,SHA256=C59D4B988F6610E8AB42004A31CDE03FC95225042AF23A262E4BBFA977EFB3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.916{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B444DEB26827E9FC64EA5688C97132D,SHA256=678DCE8D2E6402F0A1AFBC457D62666BA8293CA2AE7FE254D6DA986B037CE53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:30.108{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8910F5C8DFA4082F70E963E9A6DA2BC1,SHA256=57CABA49FB4EC9A10493DDB09FBBE159D9557759EE657A116521D627B9771319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.483{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC05609933212E5F884B0C0FF7936E4,SHA256=1A750A07CE4B149E4EB1E6F3535E7D21CFD53ABBAF39AF4D0F92408056C8A4CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.117{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+c2d950|C:\Program Files\Mozilla Firefox\xul.dll+c2d2cd|C:\Program Files\Mozilla Firefox\xul.dll+c26364|C:\Program Files\Mozilla Firefox\xul.dll+c2b7d0|C:\Program Files\Mozilla Firefox\xul.dll+c2bf2b|C:\Program Files\Mozilla Firefox\xul.dll+3b9291|C:\Program Files\Mozilla Firefox\xul.dll+c2ccf9|C:\Program Files\Mozilla Firefox\xul.dll+c2fcb2|C:\Program Files\Mozilla Firefox\xul.dll+c2c716|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c0d1e3|C:\Program Files\Mozilla Firefox\xul.dll+c0c3d5 10341000x800000000000000046091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:31.932{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D031A81AE1CD5E4CFC7D0A4EDB55F6D,SHA256=C854A2BE5E0F19D46DE2125CAF9797C5A8BEF9A7F7E13A80BF20BE6390F8F156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:31.155{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8513A036248549F0F5B12B1F7003D9,SHA256=65BF95F0BD4A4D5C80684F7CAA3B089C38E5730213640D637D8C4BB779607CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:31.416{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=EF92AD15C68BAA5FF7F753E531ACBB7B,SHA256=0F9D4D9C043860BA312ED166C57786ACE5A5789E2BE9F10118633534D6D2157A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:32.932{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C168B4D24704623EFEAA5AE917C100,SHA256=F16B4C1C2F29111BE208C218F3DE4B6FD2442B2392EF01FE42DADAA936C76A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:32.749{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:32.202{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1432E17B163184048197106756B10B7F,SHA256=6A81B967025AAAC5300F5EEC4CAC20D5F3DEA66142E7B135F5B6C094F89EE5AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.917{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52261-false10.0.1.12-8000- 354300x800000000000000025985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:29.797{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:33.932{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7A3174B6C8C0792CB4B40E0AD95202,SHA256=1653AABD2CFEB27296FE85B4BA0D390BD2623C5B84DFAA078094D43022400300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:33.436{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83575408100575B585B960978E846156,SHA256=E09B22D83C2E9AB7E5B302E3A02F05CD2641CB5E73F0096C30ED4353809A27AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:34.468{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B32100B844B6CDFF04ABB9E7A36ABE,SHA256=DEE11EB4A62CFE4BE131D7C6C37C344D9B868718E37602375ECD6A4BC195CC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:34.947{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB3BA904A335060CEB0467012773106,SHA256=0C59314BEBCF826AA4835D001382DEBC0E3E745DD5FCE1C6CDB522734AE7167B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:35.961{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F24801290A3085AE2DFD07A80AB54C,SHA256=7CC0B0BFB0B76BFFC27FFDF0575D001F7B7573C6A4B3156E2BE259CE7CBF072C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:35.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C474D0C4EE4AD9E936F9732601429B8,SHA256=194B195A438ED77FC2C2A4F08FDE368648632AD9D93F4F5DADABF2E89D44296E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:32.344{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000046111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:36.963{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD0A384336A997FC2F34FEABC6108DB,SHA256=030ABCA90A917A52C658146B1B1C3039A614B5DCFC7FCF8CD55B94AE1C7BD4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:36.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE25BAD2E0C6E82D1554AA96AFFB53DF,SHA256=8DC323AF08912B25941100AB7D5AA8A44E56E782A7A81FA10EB4FFF0074CDDEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:33.047{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52262-false10.0.1.12-8000- 23542300x800000000000000025994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:37.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C5D4019E477B2F0359B86A4F4DC520,SHA256=C52B77D7F47F5AF71AF0E18A74ADDAECE8876F90FEE81E3CDE5D624649E44D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:37.963{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F50017B4A9EFC9099F1B9D18768E3D,SHA256=6F2EB8F92897318171122226C6AB434F02747D80374254D57C1D760067897160,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:34.844{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:38.874{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0013600E9E6031EA54F0FFA4C7C279D,SHA256=2AEBC84F0F78848DA574D7237DA47EF8FBC1FBCF9E3FF663571D36C27DE96167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.984{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0498253BD02F0F5A8F5ADFFBD252BC7A,SHA256=E996001F41E77B2B1BF0FDE0A473CC3F688D16D63A61B3C1D4AC510A8C6D3AE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:35.592{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52263-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000046115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:35.592{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52263-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000046114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.684{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2EE5688427396852820356314A9D5D,SHA256=E67198A44E58B40821DD25CC03553B556ED843A34D72821EECDF28D8672E94A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.684{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE533C492EAF7085F9FF0494FB1D0E3E,SHA256=EC1E0FBE264031485D011FBACBA66BD3F2EF08F0ED85BF38EC1675AE56F05CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:40.093{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F187DCEBA47F78BD19DB235F776B0A1C,SHA256=44ACABC2835B03BD014592935AC1F63AB71C54C9C2773632F8CD508A54AC69B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:39.999{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80897FE31C3F4A9282DA6584D9FF77E,SHA256=CBD6392E80E89322FA5536357DAC0DF2EA52B58A68A589A1E3624E0BEF17047D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:41.093{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FD03869DAFA374AC9D1DB7AB0FF4A3,SHA256=A8F7443C6F82F5494178737DA0C7A6C93DC8289ADFC0843E3616E145D0C42F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:41.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E3161D0EFF7EEBD352CAC2368FDC9,SHA256=FD8C904F7A9EF38FAE706A7C037F145741265E06576F18C2FD3E9D347C574736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:42.218{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C31DFA90ADB164A82BC8CA48E1CF0AB,SHA256=1C884B675DC9718937A357594FB1B98C241352423CE5B105AA703C4582307DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.115{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52264-false10.0.1.12-8000- 23542300x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:42.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620DBD7A8047EECBACB578714F3C50CB,SHA256=ADDDCFD3DB5B52B0C0C7F6334A5AF750BCFA9065A653FB89C728A4AEA05F5EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:43.249{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C0F91CC973C69D31A48529D143B5A6,SHA256=688ACD9404A8FE8C102AB63F07C305BF8CC11A54FC9A6AE08E011BF3AA9D11C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:43.044{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524FEC89CB9753D05388223772324815,SHA256=53D2B9122AB2EB020C38ED3FBF019C634C3D0D9190792FE714F8A9AF0EF05784,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:40.703{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50957-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:44.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108C7B3680287514E18D315F2F30B9F8,SHA256=D6CA9E7A55A8BF7601E4FD24FAEEEF105D654773D93D1B8C1E33A0EFF9EC37A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:44.078{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D89A74E5B64EF2D0BC2F6FE59D0673,SHA256=125B1C280C4C3B9F197B33789F5B477F42538F3456295EDAD24C835B07A20DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:45.436{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B184B94DC44D71296E57BB5259F6A6C,SHA256=88CAEF10DBBF45BAF5607DC9AA646EF52BA0B047A4A2A6A261F4D54247496EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:45.096{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BD9491265192E22B450606BD025AFA,SHA256=CD52EB8650786859D01E81C64603D71EECED1DACDFA3EE9A0DC6EEF89E2F56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:46.468{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010AE16F93D62A341E928633F14F6F60,SHA256=4BC284FE947BCC05539C9354878FCEED78DABA1E86DD1D759E2DC99888108DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:46.105{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087194582E8893266EDBF6276EDE403,SHA256=58ADC511B68413546DDC3A19056AA019A95588F23FCE68DF82FAD81AC8124B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:47.468{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA0EE7BE8AAE76ABFB5C1A2D7CB568F,SHA256=1D926EE6C3E0CF0BC5664E05031BC2255BC4BD2410BC47CC3F49A88C54529AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:47.119{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB640B688C5F6918D20E6D7051BC162,SHA256=63DF8A64E66120F2BB4C0F22FB822D6DF55EF14FB50F0D1514CB397B5C6CAA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:48.499{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC05B455AA9610AB8C1808C29EAE462,SHA256=C31E57D3F017F1028EC4BAE8610CF0B0F725B0580B8F094CF6FB004F27E6CA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:48.121{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C766C79697C55FB4AE30EC1714D2B463,SHA256=A1AA04C2398684C2EDD075702E419449E4CC39A93B230A98E678DF37025703B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:45.822{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:44.099{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52265-false10.0.1.12-8000- 23542300x800000000000000026007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:49.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0E3DD61EAD216661023CB2C7DCB630,SHA256=271CCDE52ABCA53ADE15944860D9CA24C23A817160CCC7EDBDEE2171F634C444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:49.135{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D716E98A4D896D0D0170E3D142CBD8,SHA256=46A8D062386F4C9D8952F16856E0A7F86CEBF063B297F3C00052C39A530026B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:50.795{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=719563DAF7C2EBA0482D0C39C2B1F457,SHA256=08366E4DCFEBA0ECE674D0A5D4F32A9372576A4615EAAC351A102954FF0298BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:50.670{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA69F8F67F282AB1ECF45BC1F33C967,SHA256=88D7529656E4D6CAE8364038297704071CF595948367A8B8BD0F196C9F05A298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:50.150{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F24D3C67D530A51771926FFF898652,SHA256=5C2E55B48584F3A16658C18C6021EC1434A20684B897200F93BB5FC1134B8974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:51.670{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A02E3C7A9FBD5EEDB36AD3EAF33CBB,SHA256=E4876ABF1A4F2439FDBE9BB3D05D6DF1018C4D120FA2D0879B0FBDCD803846B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:51.164{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0206864681750BD7BC95CAF9664250F,SHA256=0A6FCF96CC86A3FEA264700F89DF77C141C572CC0E7BEA9398F4180DB90DD8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:51.086{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:52.670{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB6A79BD4F3FF2ACFBB4B4741538F17,SHA256=E679108EE835E5CC6BEA43ABF23C41D8CE80AF3210EA8642685A7BA4CEFF2D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:52.181{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E4631101C659152EA58DDAC54CCA2D,SHA256=47B1F6D2272A25E2F1C266750BE198DA6D6E5FEA59AA93F95977A6D7657032C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:53.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3488AD148212383647D35EAC9E8DE32,SHA256=CB709DD9B55B2372BB3CA7F4B7EE9CAC1D492D23829A9D5907581C3691A6AE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:53.200{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FB285EE57B9F9B1784B50D6FC29EFE,SHA256=B10CE2D2BB6E629A1A01165093421AEA441422B85090918F61558A170AB1E684,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:51.765{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:49.119{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52267-false10.0.1.12-8000- 354300x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:48.981{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52266-false10.0.1.12-8089- 23542300x800000000000000026014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:54.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8A28A86E43D4C0019A0AFEBF27CD8E,SHA256=9006E2970BAB80119587FF5AC72F5E2C4075A1B5C9634C1575B8E22058653185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:54.215{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641FE8669D3ED0C9C87EE975740CA8FC,SHA256=26B233DBA1F3456A674B29B67B50A93791501B0CFB35CEB17470DD06238C9929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:55.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE39EA626661CDB662711CC28BDC653,SHA256=63AEBE38E81882E6E187B3E2B02729DBAF71E7BB46F0C56D7C887CE0A93FDC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:55.216{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE6FF370E4F726639778B1ADA03FD72,SHA256=FB4F5433C7C6341BD7CCF2E40461A3672B58D394EFA86A833649BC5158E6DB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:56.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF1B304F565802D94DA97A5673753E5,SHA256=C1A0C5D59B27753DD6C5438D992EFA26459136AB9FDAB90D7C742235D7F67F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.247{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E57D0A291FF4876B2CE87EF48ED390,SHA256=1114FFEC8D64130777185933872BC9B050159B9E8D9A85F0A691BF4B531F1BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:57.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6A40CF0F2EE2094683C5B9739465AC,SHA256=DB3FA35006102A14E06DE939C42F4E996058899970007689D911660AD197028D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:57.248{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C083FE3562068AC601D4ED6247706ADE,SHA256=7FFE4C45261AF07A3CA9D5BE836FE6243F22D8DA56FDD2CE41536CC0E8E37B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:58.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EA6777B1524F7F9405B3FC5B214A83,SHA256=9F3D1C242F265B8AD1AEA48E514549EFAE9F40966680B456AA5E969EDD101BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b87cfd|C:\Program Files\Mozilla Firefox\xul.dll+b9790a|C:\Program Files\Mozilla Firefox\xul.dll+b70939|C:\Program Files\Mozilla Firefox\xul.dll+b8aa60|C:\Program Files\Mozilla Firefox\xul.dll+1a5a7af|C:\Program Files\Mozilla Firefox\xul.dll+1968922|C:\Program Files\Mozilla Firefox\xul.dll+1966c5c|C:\Program Files\Mozilla Firefox\xul.dll+1962565|C:\Program Files\Mozilla Firefox\xul.dll+1b54efc|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb 10341000x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.485{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc6e|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+108a9c|C:\Program Files\Mozilla Firefox\xul.dll+127a92|C:\Program Files\Mozilla Firefox\xul.dll+11ac039|C:\Program Files\Mozilla Firefox\xul.dll+925a48|C:\Program Files\Mozilla Firefox\xul.dll+926176|C:\Program Files\Mozilla Firefox\xul.dll+231770|C:\Program Files\Mozilla Firefox\xul.dll+242d49|C:\Program Files\Mozilla Firefox\xul.dll+f216ad|C:\Program Files\Mozilla Firefox\xul.dll+1696a5a|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c 10341000x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.485{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc47|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+108a9c|C:\Program Files\Mozilla Firefox\xul.dll+127a92|C:\Program Files\Mozilla Firefox\xul.dll+11ac039|C:\Program Files\Mozilla Firefox\xul.dll+925a48|C:\Program Files\Mozilla Firefox\xul.dll+926176|C:\Program Files\Mozilla Firefox\xul.dll+231770|C:\Program Files\Mozilla Firefox\xul.dll+242d49|C:\Program Files\Mozilla Firefox\xul.dll+f216ad|C:\Program Files\Mozilla Firefox\xul.dll+1696a5a|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c 10341000x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.485{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc1c|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+108a9c|C:\Program Files\Mozilla Firefox\xul.dll+127a92|C:\Program Files\Mozilla Firefox\xul.dll+11ac039|C:\Program Files\Mozilla Firefox\xul.dll+925a48|C:\Program Files\Mozilla Firefox\xul.dll+926176|C:\Program Files\Mozilla Firefox\xul.dll+231770|C:\Program Files\Mozilla Firefox\xul.dll+242d49|C:\Program Files\Mozilla Firefox\xul.dll+f216ad|C:\Program Files\Mozilla Firefox\xul.dll+1696a5a|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c 23542300x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.448{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\FrhmrTPR.zip.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.301{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB139CBD6C118AA054242E599C64B8BB,SHA256=55FF7998DD5E15FCB3EC2CB321AC49FF9D39EFE68E02D738317C5575CB18DF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:59.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC05F89C2B6D5629856832B3E351AEF,SHA256=60DAAFC681AE045F84E7A718DD6B250FB6470E590A6B5ED1BC3F55CE65084F1F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.194{80A11F3A-A5BA-6124-9206-00000000F001}5540codeload.github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.192{80A11F3A-A5BA-6124-9206-00000000F001}5540codeload.github.com0140.82.121.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.191{80A11F3A-A5BA-6124-9206-00000000F001}5540codeload.github.com0::ffff:140.82.121.9;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 23542300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.416{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685F8D72DCC25AB5F9A9CBC8631AB6BF,SHA256=BDA68C50220E23192E1E6F3703CB0024BE92929281674EBCBE5F925E4514E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.416{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674C793EC8E9DC57169987343FFF686E,SHA256=6FEFB242053E54CA93D237804FF70B6E3C0F3547FF92F35B06FD07E7AA570215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.348{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.348{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 354300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:54.995{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52268-false10.0.1.12-8000- 10341000x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.301{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.301{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.263{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.263{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.216{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.216{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 23542300x800000000000000026021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:00.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA852EEEBBCC1F76513E88CC7E215E3B,SHA256=DDDAF3FCB73F12F6E9C1DA9BD20CBFD1BAF09F25D0BFDCB26A0F546D39C80164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.997{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.645{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 10341000x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.614{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.609{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0|C:\Program Files\Mozilla Firefox\xul.dll+f318a0 10341000x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.607{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0|C:\Program Files\Mozilla Firefox\xul.dll+f318a0 10341000x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.607{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b87cfd|C:\Program Files\Mozilla Firefox\xul.dll+b9790a|C:\Program Files\Mozilla Firefox\xul.dll+b70939|C:\Program Files\Mozilla Firefox\xul.dll+b8aa60|C:\Program Files\Mozilla Firefox\xul.dll+1a5a7af|C:\Program Files\Mozilla Firefox\xul.dll+1968922|C:\Program Files\Mozilla Firefox\xul.dll+1966c5c|C:\Program Files\Mozilla Firefox\xul.dll+3a7a88|C:\Program Files\Mozilla Firefox\xul.dll+fd4936|C:\Program Files\Mozilla Firefox\xul.dll+fd41d3|C:\Program Files\Mozilla Firefox\xul.dll+fd43c3|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf 10341000x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.607{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+10023be|C:\Program Files\Mozilla Firefox\xul.dll+ff4816|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0 10341000x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.577{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+10023be|C:\Program Files\Mozilla Firefox\xul.dll+ff4816|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0 10341000x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.556{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc6e|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f 10341000x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc47|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f 10341000x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc1c|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f 10341000x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.399{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 354300x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.189{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52188- 354300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52269-false140.82.121.9lb-140-82-121-9-fra.github.com443https 354300x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.187{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61687- 23542300x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.362{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AA8B6B7279B320FE9B28D9B0DA0E2C,SHA256=E1A0C32C381B48FB22DDF47E7277CC57031CFC5D09BDE623BE566F8A222FE2D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:57.688{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.331{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.331{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.331{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:00.315{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip2021-08-24 09:23:00.315 10341000x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.315{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.215{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 23542300x800000000000000026022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:01.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9823A65A72D6A8FC22BD81AB9B33DFA4,SHA256=6FDC9AAA16CFAA83D21F8F3B7270F07C8C899C0738213432D7E7922E37ADA945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:01.822{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\handlers.jsonMD5=D8865ED85ADCBBAAF1C50B8291133088,SHA256=7D4FD8B32F01A66E9357C0ABA57E3283493DCE4ED66B9C12E30E9236E2D5BF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:01.371{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9EE249EC0F6EE7EF7EC683CB8D481A,SHA256=94C48120116861D35B2756403ACE1204334C08F4D2DB758B1CA1297B70EB194B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:02.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FB675323610355EED83BB4C452A0AD,SHA256=F7A9396EE57BAE8130B784FD164C4D42BE01A0D00C47333859E5F2E5316480E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.412{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local61417-false172.217.18.110zrh04s05-in-f110.1e100.net443https 354300x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.305{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52271-false142.250.185.99fra16s49-in-f3.1e100.net80http 354300x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.305{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61416- 354300x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.304{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61748- 354300x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.287{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52270-false172.217.18.110zrh04s05-in-f110.1e100.net443https 354300x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.287{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local59038- 354300x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.287{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64012- 354300x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.281{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local57302- 354300x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.064{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58647- 23542300x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:02.380{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8501532C4BFE73FEB3130463FB9A76AE,SHA256=4890D5FEB89CC25307FF3A9BD53CF3D2AE46A0084CC544655686EC0A63FAF11A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.292{80A11F3A-A5BA-6124-9206-00000000F001}5540sb-ssl.l.google.com02a00:1450:4001:800::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.290{80A11F3A-A5BA-6124-9206-00000000F001}5540sb-ssl.l.google.com0172.217.18.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.289{80A11F3A-A5BA-6124-9206-00000000F001}5540sb-ssl.google.com0type: 5 sb-ssl.l.google.com;::ffff:172.217.18.110;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000026024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:03.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C4B5DA9C169B109440943EA9D482B2,SHA256=F242401DFDB64C82C0887B79A116D103A6EB7E7C786EA975887F5669CFD201E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:03.388{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FE5D941692820C1827BDE460C89C59,SHA256=F5C4B62F6AD4AF366051C9023BB0C08E47BCF82C3728ADDDA2561CE22029A70F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.000{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52272-false10.0.1.12-8000- 23542300x800000000000000026025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:04.859{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CDC43AC4DBA31A744AD5FC3AFEA6DF,SHA256=1D58A07B51BB9A66B523D58753CF743E26B8F037C802782154219A0049D2E81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.392{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECC1E425765176476BCA57823658BCF,SHA256=499138EA0996C85F4283C03ECAA5031799BD5B904051783A2CB8D4204C80706E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.091{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53284- 10341000x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.242{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.210{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.177{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.114{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 23542300x800000000000000026026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:05.937{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7B8448B3BA721E8BE587C94569E077,SHA256=6ED9E6C35DCF125457D4E40BEA62D0FA8F2EC6652AA8D1B5CBC3E9ED55BF53F7,IMPHASH=00000000000000000000000000000000falsetrue 15241500x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.464{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip:Zone.Identifier2021-08-24 09:22:58.432MD5=477B2B769AF258AD1AC67EA0AC530751,SHA256=CB929A50A99FB168AABA5ACD1AC207AE3D1EC1A983564364317A5855CE9A0DAB,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://github.com/PowerShellMafia/PowerSploit/ HostUrl=https://codeload.github.com/PowerShellMafia/PowerSploit/zip/refs/heads/master 11241100x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:05.464{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip:Zone.Identifier2021-08-24 09:22:58.432 15241500x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.445{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip2021-08-24 09:22:58.432MD5=7964BE12208AF3A8AFCF33549550C6A3,SHA256=9C88F63F1E6604FA77C787ACB031A7B061A46A4669D4D316CD03712AB27728C4,IMPHASH=00000000000000000000000000000000- 10341000x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.454{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.451{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 23542300x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.392{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B25C0B0FA614FFADF4A0D841E3CBE9F,SHA256=0A1A90D879EEAF32BF9FEE2C109183E6A7AB46A2352C51A7F5AE4F998B234F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.942{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\downloads.jsonMD5=F7B8A2B4D9B4CC256E9B8B2DA834C2F0,SHA256=EAB8C4459B3A3BE1ADA157ED1656636731905D3199913362C20F610C7DF6576E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.804{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\cache2\doomed\21097MD5=65236FE79BC6084BB91254E52CE6A8C3,SHA256=CE3AEC11CEFB12B5BFA3E27B2B8C89F0525A2EFE7AD01E76F8DE354F12551E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.803{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\cache2\doomed\31455MD5=0C0BC2FBCD62F95CC65D695B85D85DCC,SHA256=EBD16012FC9FF5A03C1ABE098AA0F5E3C7E32462679A97C623E76A524B480834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.405{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C197302E0219788B99A9B23E22CA126,SHA256=568C458FB92C8DDAD15350EBB4DDE21937A95FC43994DDADD5EDBB9037DA438D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:03.657{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50961-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:07.564{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0|C:\Program Files\Mozilla Firefox\xul.dll+f318a0 23542300x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:07.427{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A534EB9E74F73842B74D024BC66A2A,SHA256=3702BE3CB155A52E23685AC3907FB09BF15A0DFB86F06BF9C5DC76A050B85E78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.984{D371C250-BA7B-6124-9A06-00000000F101}5122988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.844{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.171{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24639391F19617B4C1DDEFC23570B608,SHA256=B576D12265E8F65C4C5775073EED299A2A429D430145478576134DA3E472CFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.874{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A3F3F87B0172B2E682A6E7C18057B4,SHA256=EE66658F9D02DA65532B8E299DEAEF3A0BD0D14B7B6813A29FB173A2936B171E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.874{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B394A47CA71900E4345EE1237B828A03,SHA256=9B6FC9792C4A63C6B6CF4BA24D8ABB1C163C93A256A206AC75443D4A1B26D4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.423{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E63B26B6AEFCCBD0E2C60B620B7A86,SHA256=031EAB42ACFBCA0CA7B35B9F1EF71789A6BD8A3589C73C0BD005C44E4CC6147C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:08.438{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910E6B934B2150F7E937FCA03ED1B879,SHA256=9341E4015793D91ABB09877E9692F19FBCFCCE7BED06A8CAFFA91CAD00C3BE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:08.320{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1696D03813F0D85745432B26D862D553,SHA256=4083883E8C937E2010541328816FC221B40466D4FA7405B8FD62904C2451AFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A396C60C6CA571952D8540970A0FB1,SHA256=D3E67002F045B30A6C559CC47F54BF549ADF6BD8478EF31FC597E5D3D87AB588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:09.442{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0189FA26C7CD79B34333C56E2AFBAC,SHA256=61AB5B5F4105267AAF6F342BA1333DC504F889AA3E43412DF0FF5BCD3BAE4927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.047{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.062{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52273-false10.0.1.12-8000- 354300x800000000000000026089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.768{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50962-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1112C65ABE5DFB10FC55D6C0741B9C,SHA256=286924CF6285A6339E3DECB98B0E7986AD9F0F635D51413AF1AA4D107B7D03BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:10.446{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6266A492B6676F28A99795089DAFDEC6,SHA256=8A9D0B21F147162162286A79DB09DA9918424CCC9E9858DE2A5B7E55B9E55566,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.174{D371C250-BA7E-6124-9D06-00000000F101}3168416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.049{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A3F3F87B0172B2E682A6E7C18057B4,SHA256=EE66658F9D02DA65532B8E299DEAEF3A0BD0D14B7B6813A29FB173A2936B171E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.034{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.847{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB9510F2738BCD974786573ADA5476,SHA256=2F95C3576AC5F6A6395B7264B95515473C99EBF0E744EC9280C155DAF901D142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:11.451{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAD438EDA02BF4084F169AB76D52076,SHA256=D1E86D6A2162880A20B868D9F9FE837E005996A987613C66C235DD2FD0925C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.377{D371C250-BA7F-6124-9E06-00000000F101}3200840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.175{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFDC055B5DA611632242EC2CCED6F50,SHA256=06543254541786FC1F7F0D73E5F512C8BF11165B54277EB15E0C0274B3554DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:12.458{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0940B585AEAA95DFAEADA69F9F22A928,SHA256=9A291E75F3D817714659096981E751250B03868BE5C8EB4CAAE545A3AE324C8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.347{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.190{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11C641AE9BA28D48D2F98A0DDA5794B9,SHA256=3E160ED8D68AA218E1CEDC785DD7EDCC118C52C1438197637CF5C62AC2B8863E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.096{D371C250-BA7F-6124-9F06-00000000F101}824428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:13.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B842E40F400308702C837E2E8F36E3,SHA256=6DDEE4D4D262A3FEB683966919BE3B5387A384EBFDFC30AA732FAAB5C2CFC0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:13.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10616A983B36B51E29481DDC47E5857C,SHA256=ADD2D981F7328B132E9162CCD8BF59B04D3725E063C871DACC0B5D7C63B1E7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:13.346{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38F1324123D5E4EA10BE81FE89A1BA74,SHA256=D935D1B7A3E81438E7455D0BCAB1E44CDF95CE9B2C5E2FAB92A715CB21561084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:13.156{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-109MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:14.589{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29106B41B039617FD8EF37AE6675A229,SHA256=BFC19A34943AA150C6BABD44EAB3D1AFC9DDC84001FE1EF3A02DFE06DFDD30DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:14.155{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:15.593{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDA2A8B00426FA03915EFA297097E35,SHA256=9031D8F9F29FD6BC7DA4ABE7D30744D60BE73D333177D4E12C80603CBA1381EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:15.049{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B578FA80E3D0140A7E5301B50309E41E,SHA256=2EB944ACE7D05057EF2ED6A42BAB36C938D6CA4C26EF78EA26E81115E5EBFF2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:10.981{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52274-false10.0.1.12-8000- 23542300x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.915{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.610{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31D3BB781BE08CF665DAC3FF3DDC00A,SHA256=09264E0FDB1B879CE1BF1B1DDCA7D563454CFDF4793C48C4E0CD7CAEF54AC123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:16.268{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E47CE5D9D9AA3ECA26DE49760F1EC5,SHA256=D25DD9D270E8923127386F920B842B9E47A2411DAF8F248195B3DA3DA3504E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.347{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.339{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 23542300x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:17.612{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257C2EEDE47B1948C8FB513C2E860C8,SHA256=BC56B516857E9D3F9B16EB63008C1CBA9240444EF6E652173B0269C635347B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:17.315{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC08D0B036A3A87BEEA113D6C1418F91,SHA256=AC59B6DFA456169942E5B3BB126447D4C19B29A592E36F000F151DA489210868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:17.234{80A11F3A-A44D-6124-C804-00000000F001}50644308C:\Windows\system32\taskhostw.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:13.848{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:18.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021E3A18EE3315059DBA69B7A54CB747,SHA256=3134C9168466B4E67979CB4274D9DA6D56BB087DC5A1E0DC7F4F05409218B176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.623{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E8DD78A6B60667B84ED5865829B342,SHA256=34202126E3D8AF1FD4C4D9F5EEA0D864793A5E1CA757EE2EF2C8E1838C5AF9A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.520{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.505{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.505{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:19.549{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBB81D9D0410C951377DDC88F509DCA,SHA256=B3EA41BBEB938E6DBB20512DC00AAE2DF3F3FC97632BFAD4A5CCC142758A5BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:19.625{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D6E9C1E1D14B1822045C74B386E509,SHA256=F069514DD498342617630F99054BAE1341A29F3A2A31169417313F013CAD6CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:20.580{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62C9FD81734678E76AFCD1FC83D4F53,SHA256=BAAAE1DC0C17A9B07F2FC19277DF0D1C362F3AE88EECF0D60EB80A366D8635D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:20.628{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D56055E69E8A67E654DDE7269D0AA,SHA256=9FC3998057A8EC715D766AD6F337A490034C36D679363087E2C898637A2017DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.026{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52275-false10.0.1.12-8000- 23542300x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:21.632{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B77FF6FFF049ADDA4C62C92BF3932E0,SHA256=DC8786779E5FD35CBC95797D22A80DDBA1C3AFDE62C86C1384AB89706C25FA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:21.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F751DC18342D4B3BB0B9EFBBD6AD5FF,SHA256=EDBF9200E190C5276DE64815CD5EC3206BC6BBACE143BC3FE9962EDF629FA7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:22.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061099DFAAD79AC84679C6628B75AD7B,SHA256=F4DA6A2F6B3C5E64357B3904EED52F57D6F11A35A3D18D695BFC3F8DDA6557E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:22.635{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC22AF8D0B80A7F9138738ABBB704B3,SHA256=485B811302FD1AF8EA6338F02485FF65D3411A4BFC7C7102EBDEE3C987BB7318,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:19.676{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:23.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC3C2C0A007F2123C580CDCEAFEAA81,SHA256=4893341BB3CF8D643CF3BD45D1A333DC3DA68D8565FF3B4E4F2F89E23BA6490E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:23.637{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50BD2D35DC675D75C5B4DC0DC0D4A08,SHA256=34337EFDA06F2CA17EC28671B890FDFC0A3E0EE74D2F6DD85090AC1B640D30E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:24.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65032065495D98D4E897DFD6B64508C2,SHA256=41CFAD06ADD86D23FC09203F4FAFA93D877ED2213FF365E06A1014B3ADB9C497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.658{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46866BFA35883F89E5F59F64F6A2C27,SHA256=2D8F6CB9D1C11A71FADC073AA7AF318D91EC8896C4734C12FF3FEE0BBC3C2D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.331{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.326{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.326{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:25.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5D0B92DD99BC62AC92F64EAC6ACBF5,SHA256=844454362565C3DE6EF7FCCF658320CABEA4DDED9977D3C6890EDB31A27DF0C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.775{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.772{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.772{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.771{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.770{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.770{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.770{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.769{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.664{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEA2F5A6D48A3D39242760D4AD648FE,SHA256=9104A14CA2DFBA29BF780F54B07567320B48C53FE2DAC0AC0442EBA670C92EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:21.923{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52276-false10.0.1.12-8000- 13241300x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:25.159{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXEHKU\S-1-5-21-3401929934-754655068-3831493345-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B8CDCB65-B1BF-4B42-9428-1DFDB7EE92AF} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.149{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.149{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.148{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.147{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:26.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC87D2B0C779711725DD577FB67B14C,SHA256=3DE64342617298930DAA54F32369F917AF3F12812A3DD064E1C3207049A3177B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.989{80A11F3A-A44E-6124-D004-00000000F001}41606380C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.980{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\PowerSploit-master\" -spe -an -ai#7zMap7642:114:7zEvent18907C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.820{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068E86E6F388D502F0D01C074A678F76,SHA256=87F88412F3C4819B92551E75D4131953E1BD217E7B8A4F042C8ED5EE788A3176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.819{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2EE5688427396852820356314A9D5D,SHA256=E67198A44E58B40821DD25CC03553B556ED843A34D72821EECDF28D8672E94A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.677{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F35621C63568DA1805C8BAF42F0B03,SHA256=FEAC676C6DCFEF4ECA1DDE2F9E1EC321EA59D75475D490382D21A7B940C58D32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.454{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.452{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.452{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.450{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:27.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D3F1F446D28B07BB52C32D385812F4,SHA256=F4153C47B09989CFBDA87815606587FBE7EADE6F9189B986ED477A6436FC3B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.690{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E7A28C5E25A0A232901D184FE30452,SHA256=351D33A783152B7C2B0549C2AA924B917501DA764163CFA49D846B6318338A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:24.817{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.514{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09C885180569303B48E878C4E150227,SHA256=2493C4FF03D2C6067BE5476B15F571BFA1A3D8522309DAA151517E949C8C2FE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.398{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\mkdocs.yml2021-08-24 09:23:27.398 11241100x800000000000000046660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.397{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\index.md2021-08-24 09:23:27.397 11241100x800000000000000046659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.397{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Remove-Comment.md2021-08-24 09:23:27.397 11241100x800000000000000046658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.396{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Out-EncryptedScript.md2021-08-24 09:23:27.395 11241100x800000000000000046657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.395{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Out-EncodedCommand.md2021-08-24 09:23:27.395 11241100x800000000000000046656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.394{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Out-CompressedDll.md2021-08-24 09:23:27.394 11241100x800000000000000046655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.394{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification2021-08-24 09:23:27.394 11241100x800000000000000046654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.393{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\index.md2021-08-24 09:23:27.393 11241100x800000000000000046653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.393{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Test-AdminAccess.md2021-08-24 09:23:27.392 11241100x800000000000000046652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.392{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Set-DomainUserPassword.md2021-08-24 09:23:27.391 11241100x800000000000000046651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.391{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Set-DomainObjectOwner.md2021-08-24 09:23:27.391 11241100x800000000000000046650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.390{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Set-DomainObject.md2021-08-24 09:23:27.390 11241100x800000000000000046649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.389{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Resolve-IPAddress.md2021-08-24 09:23:27.389 11241100x800000000000000046648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.389{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Remove-RemoteConnection.md2021-08-24 09:23:27.389 11241100x800000000000000046647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.388{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\New-DomainUser.md2021-08-24 09:23:27.388 11241100x800000000000000046646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.387{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\New-DomainGroup.md2021-08-24 09:23:27.387 11241100x800000000000000046645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.387{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-UserImpersonation.md2021-08-24 09:23:27.386 11241100x800000000000000046644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.386{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-RevertToSelf.md2021-08-24 09:23:27.386 11241100x800000000000000046643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.385{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-ReverseDnsLookup.md2021-08-24 09:23:27.385 11241100x800000000000000046642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.384{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-Portscan.md2021-08-24 09:23:27.384 11241100x800000000000000046641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.383{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-Kerberoast.md2021-08-24 09:23:27.383 11241100x800000000000000046640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.383{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegProxy.md2021-08-24 09:23:27.383 11241100x800000000000000046639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.382{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegMountedDrive.md2021-08-24 09:23:27.382 11241100x800000000000000046638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.381{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegLastLoggedOn.md2021-08-24 09:23:27.381 11241100x800000000000000046637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.381{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegCachedRDPConnection.md2021-08-24 09:23:27.381 11241100x800000000000000046636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.380{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIProcess.md2021-08-24 09:23:27.380 11241100x800000000000000046635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.380{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-RegLoggedOn.md2021-08-24 09:23:27.379 11241100x800000000000000046634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.379{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-PathAcl.md2021-08-24 09:23:27.378 11241100x800000000000000046633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.377{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetShare.md2021-08-24 09:23:27.377 11241100x800000000000000046632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.377{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetSession.md2021-08-24 09:23:27.376 11241100x800000000000000046631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.376{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetRDPSession.md2021-08-24 09:23:27.376 11241100x800000000000000046630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.375{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetLoggedon.md2021-08-24 09:23:27.375 11241100x800000000000000046629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.374{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetLocalGroupMember.md2021-08-24 09:23:27.374 11241100x800000000000000046628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.374{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetLocalGroup.md2021-08-24 09:23:27.374 11241100x800000000000000046627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.373{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetComputerSiteName.md2021-08-24 09:23:27.373 11241100x800000000000000046626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.373{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-HttpStatus.md2021-08-24 09:23:27.372 11241100x800000000000000046625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.370{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ForestTrust.md2021-08-24 09:23:27.370 11241100x800000000000000046624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.369{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ForestGlobalCatalog.md2021-08-24 09:23:27.369 11241100x800000000000000046623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.368{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ForestDomain.md2021-08-24 09:23:27.368 11241100x800000000000000046622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.366{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-Forest.md2021-08-24 09:23:27.366 11241100x800000000000000046621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.365{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainUserEvent.md2021-08-24 09:23:27.365 11241100x800000000000000046620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.364{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainUser.md2021-08-24 09:23:27.364 11241100x800000000000000046619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.364{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainTrustMapping.md2021-08-24 09:23:27.364 11241100x800000000000000046618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.363{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainTrust.md2021-08-24 09:23:27.363 11241100x800000000000000046617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.363{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSubnet.md2021-08-24 09:23:27.362 11241100x800000000000000046616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.362{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSite.md2021-08-24 09:23:27.362 11241100x800000000000000046615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.361{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSPNTicket.md2021-08-24 09:23:27.361 11241100x800000000000000046614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.361{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSID.md2021-08-24 09:23:27.361 11241100x800000000000000046613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.360{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainPolicy.md2021-08-24 09:23:27.360 11241100x800000000000000046612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.360{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainObjectAcl.md2021-08-24 09:23:27.359 11241100x800000000000000046611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.359{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainObject.md2021-08-24 09:23:27.359 11241100x800000000000000046610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.358{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainOU.md2021-08-24 09:23:27.358 11241100x800000000000000046609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.358{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainManagedSecurityGroup.md2021-08-24 09:23:27.357 11241100x800000000000000046608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.357{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGroupMember.md2021-08-24 09:23:27.355 11241100x800000000000000046607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.355{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGroup.md2021-08-24 09:23:27.355 11241100x800000000000000046606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.354{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPOUserLocalGroupMapping.md2021-08-24 09:23:27.354 11241100x800000000000000046605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.353{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPOLocalGroup.md2021-08-24 09:23:27.353 11241100x800000000000000046604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.352{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPOComputerLocalGroupMapping.md2021-08-24 09:23:27.352 11241100x800000000000000046603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.352{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPO.md2021-08-24 09:23:27.352 11241100x800000000000000046602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.351{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainForeignUser.md2021-08-24 09:23:27.351 11241100x800000000000000046601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.350{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainForeignGroupMember.md2021-08-24 09:23:27.350 11241100x800000000000000046600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.350{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainFileServer.md2021-08-24 09:23:27.349 11241100x800000000000000046599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.348{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainDNSZone.md2021-08-24 09:23:27.348 11241100x800000000000000046598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.348{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainDNSRecord.md2021-08-24 09:23:27.348 11241100x800000000000000046597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.347{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainDFSShare.md2021-08-24 09:23:27.347 11241100x800000000000000046596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.347{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainController.md2021-08-24 09:23:27.347 11241100x800000000000000046595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.346{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainComputer.md2021-08-24 09:23:27.346 11241100x800000000000000046594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.345{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-Domain.md2021-08-24 09:23:27.345 11241100x800000000000000046593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.345{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ComputerDetail.md2021-08-24 09:23:27.345 11241100x800000000000000046592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.344{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-LocalAdminAccess.md2021-08-24 09:23:27.344 11241100x800000000000000046591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.343{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-InterestingFile.md2021-08-24 09:23:27.343 11241100x800000000000000046590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.342{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-InterestingDomainShareFile.md2021-08-24 09:23:27.342 11241100x800000000000000046589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.341{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-InterestingDomainAcl.md2021-08-24 09:23:27.341 11241100x800000000000000046588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.341{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainUserLocation.md2021-08-24 09:23:27.340 11241100x800000000000000046587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.340{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainUserEvent.md2021-08-24 09:23:27.339 23542300x800000000000000046586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.339{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A50ADC076D9950AFF1AEAA09541E31,SHA256=3C5794F9A44BC6AE9FD3B776E79B2BCC98C15282A1D52EF52763E297C0EC13EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.338{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainShare.md2021-08-24 09:23:27.338 11241100x800000000000000046584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.337{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainProcess.md2021-08-24 09:23:27.337 11241100x800000000000000046583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.336{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainObjectPropertyOutlier.md2021-08-24 09:23:27.336 11241100x800000000000000046582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.335{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainLocalGroupMember.md2021-08-24 09:23:27.335 11241100x800000000000000046581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.335{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Export-PowerViewCSV.md2021-08-24 09:23:27.334 11241100x800000000000000046580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.334{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\ConvertTo-SID.md2021-08-24 09:23:27.334 11241100x800000000000000046579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.333{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\ConvertFrom-UACValue.md2021-08-24 09:23:27.333 11241100x800000000000000046578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.333{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\ConvertFrom-SID.md2021-08-24 09:23:27.333 11241100x800000000000000046577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.332{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Convert-ADName.md2021-08-24 09:23:27.332 11241100x800000000000000046576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.331{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Add-RemoteConnection.md2021-08-24 09:23:27.331 11241100x800000000000000046575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.330{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Add-DomainObjectAcl.md2021-08-24 09:23:27.330 11241100x800000000000000046574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.330{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Add-DomainGroupMember.md2021-08-24 09:23:27.329 11241100x800000000000000046573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.329{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon2021-08-24 09:23:27.329 11241100x800000000000000046572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.329{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\index.md2021-08-24 09:23:27.329 11241100x800000000000000046571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.328{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Write-UserAddMSI.md2021-08-24 09:23:27.328 11241100x800000000000000046570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.328{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Write-ServiceBinary.md2021-08-24 09:23:27.327 11241100x800000000000000046569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.327{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Write-HijackDll.md2021-08-24 09:23:27.327 11241100x800000000000000046568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.326{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Test-ServiceDaclPermission.md2021-08-24 09:23:27.326 11241100x800000000000000046567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.326{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Set-ServiceBinaryPath.md2021-08-24 09:23:27.326 11241100x800000000000000046566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.325{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Restore-ServiceBinary.md2021-08-24 09:23:27.324 11241100x800000000000000046565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.324{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Invoke-WScriptUACBypass.md2021-08-24 09:23:27.324 11241100x800000000000000046564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.323{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Invoke-ServiceAbuse.md2021-08-24 09:23:27.323 11241100x800000000000000046563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.323{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Invoke-PrivescAudit.md2021-08-24 09:23:27.322 11241100x800000000000000046562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.322{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Install-ServiceBinary.md2021-08-24 09:23:27.322 11241100x800000000000000046561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.321{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-WebConfig.md2021-08-24 09:23:27.321 11241100x800000000000000046560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.321{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-UnquotedService.md2021-08-24 09:23:27.321 11241100x800000000000000046559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.320{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-UnattendedInstallFile.md2021-08-24 09:23:27.320 11241100x800000000000000046558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.320{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-System.md2021-08-24 09:23:27.319 11241100x800000000000000046557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.319{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-SiteListPassword.md2021-08-24 09:23:27.318 11241100x800000000000000046556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.317{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ServiceDetail.md2021-08-24 09:23:27.316 11241100x800000000000000046555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.316{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-RegistryAutoLogon.md2021-08-24 09:23:27.315 11241100x800000000000000046554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.315{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-RegistryAlwaysInstallElevated.md2021-08-24 09:23:27.315 11241100x800000000000000046553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.314{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ProcessTokenPrivilege.md2021-08-24 09:23:27.314 11241100x800000000000000046552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.314{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ProcessTokenGroup.md2021-08-24 09:23:27.314 11241100x800000000000000046551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.313{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableServiceFile.md2021-08-24 09:23:27.313 11241100x800000000000000046550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.313{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableService.md2021-08-24 09:23:27.312 11241100x800000000000000046549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.312{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableScheduledTaskFile.md2021-08-24 09:23:27.312 11241100x800000000000000046548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.311{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableRegistryAutoRun.md2021-08-24 09:23:27.311 11241100x800000000000000046547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.311{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiablePath.md2021-08-24 09:23:27.311 11241100x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.310{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-CachedGPPPassword.md2021-08-24 09:23:27.310 10341000x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.310{80A11F3A-BA8F-6124-3209-00000000F001}62406260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.309{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ApplicationHost.md2021-08-24 09:23:27.309 11241100x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.309{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Find-ProcessDLLHijack.md2021-08-24 09:23:27.308 11241100x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.308{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Find-PathDLLHijack.md2021-08-24 09:23:27.308 11241100x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.307{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Enable-Privilege.md2021-08-24 09:23:27.307 11241100x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.307{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Add-ServiceDacl.md2021-08-24 09:23:27.307 11241100x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.306{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc2021-08-24 09:23:27.306 11241100x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.306{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\New-UserPersistenceOption.md2021-08-24 09:23:27.306 11241100x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.305{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\New-ElevatedPersistenceOption.md2021-08-24 09:23:27.305 11241100x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.304{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\Install-SSP.md2021-08-24 09:23:27.304 11241100x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.303{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\Get-SecurityPackage.md2021-08-24 09:23:27.303 11241100x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.302{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\Add-Persistence.md2021-08-24 09:23:27.302 11241100x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.302{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence2021-08-24 09:23:27.301 11241100x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.300{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Mayhem\Set-MasterBootRecord.md2021-08-24 09:23:27.300 11241100x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.300{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Mayhem\Set-CriticalProcess.md2021-08-24 09:23:27.299 11241100x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.299{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Mayhem2021-08-24 09:23:27.299 11241100x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.298{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-WmiCommand.md2021-08-24 09:23:27.298 11241100x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.297{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-Shellcode.md2021-08-24 09:23:27.297 11241100x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.296{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-ReflectivePEInjection.md2021-08-24 09:23:27.296 11241100x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.295{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-DllInjection.md2021-08-24 09:23:27.295 11241100x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.295{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution2021-08-24 09:23:27.295 11241100x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.294{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\AntivirusBypass\Find-AVSignature.md2021-08-24 09:23:27.294 11241100x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.294{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\AntivirusBypass2021-08-24 09:23:27.294 11241100x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.293{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs2021-08-24 09:23:27.293 11241100x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.291{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\Recon.tests.ps12021-08-24 09:23:27.291 11241100x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.291{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\Privesc.tests.ps12021-08-24 09:23:27.290 11241100x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.290{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\PowerSploit.tests.ps12021-08-24 09:23:27.289 11241100x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.289{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\Exfiltration.tests.ps12021-08-24 09:23:27.289 11241100x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.288{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\CodeExecution.tests.ps12021-08-24 09:23:27.288 11241100x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.287{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests2021-08-24 09:23:27.287 11241100x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.286{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Usage.md2021-08-24 09:23:27.286 11241100x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.286{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\ScriptModification.psm12021-08-24 09:23:27.286 11241100x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.285{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\ScriptModification.psd12021-08-24 09:23:27.285 11241100x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.285{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Remove-Comment.ps12021-08-24 09:23:27.284 11241100x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.283{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Out-EncryptedScript.ps12021-08-24 09:23:27.282 11241100x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.282{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Out-EncodedCommand.ps12021-08-24 09:23:27.282 11241100x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.281{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Out-CompressedDll.ps12021-08-24 09:23:27.281 11241100x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.281{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification2021-08-24 09:23:27.281 11241100x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.280{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Recon.psm12021-08-24 09:23:27.280 11241100x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.279{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Recon.psd12021-08-24 09:23:27.279 11241100x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.279{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\README.md2021-08-24 09:23:27.279 11241100x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.273{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps12021-08-24 09:23:27.273 11241100x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.273{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Invoke-ReverseDnsLookup.ps12021-08-24 09:23:27.272 11241100x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.272{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Invoke-Portscan.ps12021-08-24 09:23:27.271 11241100x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.271{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Invoke-CompareAttributesForClass.ps12021-08-24 09:23:27.271 11241100x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.270{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Get-HttpStatus.ps12021-08-24 09:23:27.269 11241100x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.269{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Get-ComputerDetail.ps12021-08-24 09:23:27.269 11241100x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.268{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries\sharepoint.txt2021-08-24 09:23:27.268 11241100x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.267{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries\generic.txt2021-08-24 09:23:27.267 11241100x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.266{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries\admin.txt2021-08-24 09:23:27.266 11241100x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.266{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries2021-08-24 09:23:27.266 11241100x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.266{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon2021-08-24 09:23:27.266 11241100x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.265{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\README.md2021-08-24 09:23:27.265 11241100x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.265{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\README.md2021-08-24 09:23:27.265 11241100x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.264{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\Privesc.psm12021-08-24 09:23:27.263 11241100x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.263{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\Privesc.psd12021-08-24 09:23:27.263 11241100x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.257{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\PowerUp.ps12021-08-24 09:23:27.256 11241100x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.256{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\Get-System.ps12021-08-24 09:23:27.256 11241100x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.255{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc2021-08-24 09:23:27.255 11241100x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.255{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.sln2021-08-24 09:23:27.255 11241100x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.254{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.pssproj2021-08-24 09:23:27.254 11241100x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.253{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.psm12021-08-24 09:23:27.253 11241100x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.253{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.psd12021-08-24 09:23:27.253 11241100x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.252{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence\Usage.md2021-08-24 09:23:27.252 11241100x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.251{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence\Persistence.psm12021-08-24 09:23:27.250 11241100x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.250{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence\Persistence.psd12021-08-24 09:23:27.250 11241100x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.249{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence2021-08-24 09:23:27.249 11241100x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.249{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem\Usage.md2021-08-24 09:23:27.249 11241100x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.248{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem\Mayhem.psm12021-08-24 09:23:27.248 11241100x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.247{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem\Mayhem.psd12021-08-24 09:23:27.247 11241100x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.247{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem2021-08-24 09:23:27.247 11241100x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.247{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\LICENSE2021-08-24 09:23:27.246 11241100x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.246{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\VolumeShadowCopyTools.ps12021-08-24 09:23:27.245 11241100x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.244{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Usage.md2021-08-24 09:23:27.244 11241100x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.244{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Out-Minidump.ps12021-08-24 09:23:27.244 11241100x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.243{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\targetver.h2021-08-24 09:23:27.243 11241100x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.240{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\stdafx.h2021-08-24 09:23:27.240 11241100x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.240{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\stdafx.cpp2021-08-24 09:23:27.240 11241100x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.239{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\dllmain.cpp2021-08-24 09:23:27.239 11241100x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.239{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\ReadMe.txt2021-08-24 09:23:27.238 11241100x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.238{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_FileRecord.h2021-08-24 09:23:27.238 11241100x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.237{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_DataType.h2021-08-24 09:23:27.237 11241100x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.236{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_Common.h2021-08-24 09:23:27.236 11241100x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.235{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_Attribute.h2021-08-24 09:23:27.235 11241100x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.235{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFSParserDLL.vcxproj.filters2021-08-24 09:23:27.234 11241100x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.234{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFSParserDLL.vcxproj2021-08-24 09:23:27.233 11241100x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.232{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFSParserDLL.cpp2021-08-24 09:23:27.232 11241100x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.231{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS.h2021-08-24 09:23:27.231 11241100x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.230{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL2021-08-24 09:23:27.229 11241100x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.229{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\targetver.h2021-08-24 09:23:27.229 11241100x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.228{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\stdafx.h2021-08-24 09:23:27.228 11241100x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.228{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\stdafx.cpp2021-08-24 09:23:27.228 11241100x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.227{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\ReadMe.txt2021-08-24 09:23:27.227 11241100x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.226{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_FileRecord.h2021-08-24 09:23:27.226 11241100x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.225{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_DataType.h2021-08-24 09:23:27.225 11241100x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.225{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_Common.h2021-08-24 09:23:27.225 11241100x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.224{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_Attribute.h2021-08-24 09:23:27.224 11241100x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.223{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFSParser.vcxproj.filters2021-08-24 09:23:27.222 11241100x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.222{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFSParser.vcxproj2021-08-24 09:23:27.222 11241100x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.221{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFSParser.cpp2021-08-24 09:23:27.221 11241100x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.220{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS.h2021-08-24 09:23:27.220 11241100x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.220{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser2021-08-24 09:23:27.219 11241100x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.219{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser.sln2021-08-24 09:23:27.219 11241100x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.219{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser2021-08-24 09:23:27.218 11241100x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.218{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\targetver.h2021-08-24 09:23:27.218 11241100x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.217{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\stdafx.h2021-08-24 09:23:27.217 11241100x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.217{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\stdafx.cpp2021-08-24 09:23:27.217 11241100x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.216{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\logon.vcxproj.filters2021-08-24 09:23:27.215 11241100x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.215{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\logon.vcxproj2021-08-24 09:23:27.215 11241100x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.214{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\logon.cpp2021-08-24 09:23:27.214 11241100x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.214{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\dllmain.cpp2021-08-24 09:23:27.214 11241100x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.213{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\ReadMe.txt2021-08-24 09:23:27.213 11241100x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.213{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon2021-08-24 09:23:27.213 11241100x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.212{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\targetver.h2021-08-24 09:23:27.212 11241100x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.212{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\stdafx.h2021-08-24 09:23:27.212 11241100x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.211{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\stdafx.cpp2021-08-24 09:23:27.211 11241100x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.210{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\ReadMe.txt2021-08-24 09:23:27.210 11241100x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.210{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\LogonUser.vcxproj.filters2021-08-24 09:23:27.209 11241100x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.208{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\LogonUser.vcxproj2021-08-24 09:23:27.208 11241100x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.208{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\LogonUser.cpp2021-08-24 09:23:27.208 11241100x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.207{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser2021-08-24 09:23:27.207 11241100x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.206{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser.sln2021-08-24 09:23:27.206 11241100x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.206{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser2021-08-24 09:23:27.206 11241100x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.206{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser2021-08-24 09:23:27.205 11241100x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.204{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-TokenManipulation.ps12021-08-24 09:23:27.204 23542300x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.201{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482ABC3EC480E687CC2AB19180E0A855,SHA256=51A54D219ED26F26198DBD9E3198A8AB136DA4C4A3FE326CB0DF97D4825F89DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.199{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-NinjaCopy.ps12021-08-24 09:23:27.199 11241100x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.174{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-Mimikatz.ps12021-08-24 09:23:27.174 11241100x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.169{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-CredentialInjection.ps12021-08-24 09:23:27.169 11241100x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.168{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-VaultCredential.ps1xml2021-08-24 09:23:27.168 11241100x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.168{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-VaultCredential.ps12021-08-24 09:23:27.167 11241100x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.167{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-TimedScreenshot.ps12021-08-24 09:23:27.167 11241100x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.166{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-MicrophoneAudio.ps12021-08-24 09:23:27.166 11241100x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.165{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-Keystrokes.ps12021-08-24 09:23:27.165 11241100x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.165{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-GPPPassword.ps12021-08-24 09:23:27.164 11241100x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.164{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-GPPAutologon.ps12021-08-24 09:23:27.163 11241100x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.162{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Exfiltration.psm12021-08-24 09:23:27.162 11241100x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.161{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Exfiltration.psd12021-08-24 09:23:27.161 11241100x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.160{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration2021-08-24 09:23:27.160 11241100x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.160{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Usage.md2021-08-24 09:23:27.160 11241100x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.159{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-WmiCommand.ps12021-08-24 09:23:27.159 11241100x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.158{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-Shellcode.ps12021-08-24 09:23:27.158 11241100x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.157{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x86\GetProcAddress.asm2021-08-24 09:23:27.157 11241100x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.157{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x86\ExitThread.asm2021-08-24 09:23:27.156 11241100x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.155{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x86\CallDllMain.asm2021-08-24 09:23:27.155 11241100x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.155{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x862021-08-24 09:23:27.154 11241100x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.154{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\LoadLibraryA.asm2021-08-24 09:23:27.153 11241100x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.152{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\GetFuncAddress.asm2021-08-24 09:23:27.152 11241100x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.151{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\ExitThread.asm2021-08-24 09:23:27.151 11241100x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.150{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\CallDllMain.asm2021-08-24 09:23:27.150 11241100x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.149{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x642021-08-24 09:23:27.149 11241100x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.149{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\readme.txt2021-08-24 09:23:27.148 11241100x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.148{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode2021-08-24 09:23:27.148 11241100x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.147{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\targetver.h2021-08-24 09:23:27.147 11241100x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.146{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\stdafx.h2021-08-24 09:23:27.146 11241100x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.146{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\stdafx.cpp2021-08-24 09:23:27.145 11241100x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.145{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ReadMe.txt2021-08-24 09:23:27.145 11241100x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.144{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ExeToInjectInTo.vcxproj.filters2021-08-24 09:23:27.143 11241100x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.142{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ExeToInjectInTo.vcxproj2021-08-24 09:23:27.141 11241100x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.141{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ExeToInjectInTo.cpp2021-08-24 09:23:27.141 11241100x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.140{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo2021-08-24 09:23:27.140 11241100x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.139{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo.sln2021-08-24 09:23:27.139 11241100x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.139{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo2021-08-24 09:23:27.138 11241100x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.138{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\targetver.h2021-08-24 09:23:27.137 11241100x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.137{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\stdafx.h2021-08-24 09:23:27.137 11241100x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.136{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\stdafx.cpp2021-08-24 09:23:27.136 11241100x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.135{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\ReadMe.txt2021-08-24 09:23:27.135 11241100x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.135{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\DemoExe_MDd.vcxproj.filters2021-08-24 09:23:27.134 11241100x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.133{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\DemoExe_MDd.vcxproj2021-08-24 09:23:27.133 11241100x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.132{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\DemoExe_MDd.cpp2021-08-24 09:23:27.132 11241100x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.131{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd2021-08-24 09:23:27.131 11241100x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.131{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\targetver.h2021-08-24 09:23:27.130 11241100x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.130{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\stdafx.h2021-08-24 09:23:27.130 11241100x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.129{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\stdafx.cpp2021-08-24 09:23:27.129 11241100x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.128{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\ReadMe.txt2021-08-24 09:23:27.128 11241100x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.127{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\DemoExe_MD.vcxproj.filters2021-08-24 09:23:27.126 10341000x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.125{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.125{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\DemoExe_MD.vcxproj2021-08-24 09:23:27.125 11241100x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.124{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\DemoExe_MD.cpp2021-08-24 09:23:27.124 10341000x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.123{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.123{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD2021-08-24 09:23:27.123 10341000x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.123{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.123{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.122{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe.sln2021-08-24 09:23:27.122 11241100x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.122{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe2021-08-24 09:23:27.122 10341000x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.122{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.121{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\targetver.h2021-08-24 09:23:27.121 10341000x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 11241100x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.120{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\stdafx.h2021-08-24 09:23:27.120 10341000x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.119{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.119{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.119{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\stdafx.cpp2021-08-24 09:23:27.119 11241100x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.118{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\dllmain.cpp2021-08-24 09:23:27.118 11241100x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.117{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\ReadMe.txt2021-08-24 09:23:27.117 11241100x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.116{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj.filters2021-08-24 09:23:27.115 10341000x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.115{80A11F3A-A44D-6124-C804-00000000F001}50644308C:\Windows\system32\taskhostw.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.114{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj2021-08-24 09:23:27.114 10341000x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.114{80A11F3A-A44D-6124-C804-00000000F001}50644308C:\Windows\system32\taskhostw.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.113{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.cpp2021-08-24 09:23:27.113 11241100x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.113{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess2021-08-24 09:23:27.113 11241100x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.112{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.sln2021-08-24 09:23:27.112 11241100x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.112{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess2021-08-24 09:23:27.112 11241100x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.111{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\targetver.h2021-08-24 09:23:27.111 10341000x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.111{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.111{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.110{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.110{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.110{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\stdafx.h2021-08-24 09:23:27.110 11241100x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.110{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\stdafx.cpp2021-08-24 09:23:27.109 11241100x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.109{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\dllmain.cpp2021-08-24 09:23:27.109 11241100x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.108{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\ReadMe.txt2021-08-24 09:23:27.108 11241100x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.107{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.vcxproj.filters2021-08-24 09:23:27.107 11241100x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.106{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.vcxproj2021-08-24 09:23:27.106 11241100x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.106{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.h2021-08-24 09:23:27.105 11241100x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.105{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.cpp2021-08-24 09:23:27.105 11241100x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.104{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL2021-08-24 09:23:27.104 11241100x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.103{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL.sln2021-08-24 09:23:27.103 11241100x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.103{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL2021-08-24 09:23:27.102 11241100x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.102{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources2021-08-24 09:23:27.102 11241100x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.100{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection.ps12021-08-24 09:23:27.099 11241100x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.099{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-DllInjection.ps12021-08-24 09:23:27.098 11241100x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.097{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\CodeExecution.psm12021-08-24 09:23:27.097 11241100x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.097{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\CodeExecution.psd12021-08-24 09:23:27.097 11241100x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.096{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution2021-08-24 09:23:27.096 11241100x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.095{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\Usage.md2021-08-24 09:23:27.095 11241100x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.094{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\Find-AVSignature.ps12021-08-24 09:23:27.094 11241100x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.093{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\AntivirusBypass.psm12021-08-24 09:23:27.093 11241100x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.093{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\AntivirusBypass.psd12021-08-24 09:23:27.092 11241100x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.092{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass2021-08-24 09:23:27.092 11241100x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.092{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\.gitignore2021-08-24 09:23:27.091 11241100x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.091{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master2021-08-24 09:23:27.090 10341000x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.014{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.014{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:28.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04220726B5FCD74A942F7A9C86F647F8,SHA256=862081511B4521E2877B2946523143E7D5B5FD894094EC6AA5B101895B921EF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.968{80A11F3A-BA90-6124-3409-00000000F001}48041576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.791{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.787{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.787{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.704{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A1295C5740B5AE4BE7131224E79C38,SHA256=EC1C28031EFA649DBC5141B10F04F75090068CF1303F277BE86AB021B0ADDB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.698{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BED6586EBB7E26F54837E6A4B00060,SHA256=63C0EC309D222D3425C573A56E0C9F4492B31D34B5CDB456C69337533172C219,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.305{80A11F3A-BA90-6124-3309-00000000F001}45085976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.125{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.123{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.121{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.121{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.090{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068E86E6F388D502F0D01C074A678F76,SHA256=87F88412F3C4819B92551E75D4131953E1BD217E7B8A4F042C8ED5EE788A3176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:29.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F978841ADAC68A26DD05775B8E1ED3,SHA256=5DE06A7107E94EFCAB95A70921A62C8612282694B61223F525B706008ED2B6AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.849{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.846{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.846{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.844{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C037BE060F3BC93C4982FDD5CFFB1C8,SHA256=F50D80881C346FF4DFF179F81442F08E17A3F750F2FBD0047940B5B376022CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:29.348{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-102MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.516{80A11F3A-BA91-6124-3509-00000000F001}17081160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.330{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.130{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8645C49D85079AC872050955ACC6E98,SHA256=B26505F037DD745B8D7A3E40C4B1E36F2160EE167326B479B7E0A14A12829115,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e087) 13241300x800000000000000046692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x50c2b7b5) 13241300x800000000000000046691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xb2871fb5) 13241300x800000000000000046690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x144b87b5) 13241300x800000000000000046689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e087) 13241300x800000000000000046687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x50c2b7b5) 13241300x800000000000000046686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xb2871fb5) 13241300x800000000000000046685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x144b87b5) 23542300x800000000000000026156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:30.689{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795804D2755F57C80B70DEDFDDDAC0C6,SHA256=99D0F0A864B49B595674D8928E91CD7218172AA256B039F271C2687262EBCB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:30.869{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27591593EE171778ECD5E3BE77F06A2C,SHA256=23E295C33F7DBC168AE2B2518E3F80B74059171A5E567F32B4DCC4E853E9CB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:30.347{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.989{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52277-false10.0.1.12-8000- 23542300x800000000000000046714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:30.331{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D666D3D0DE2937CF09FB65E7E9033187,SHA256=C95E154CF9011F9D09ABEBF25023E02A9E6C7D6F32CEE7FD0A7C742B47C681FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:31.691{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC234745D7F84301FEF47DE0742C92E,SHA256=9704C2AE1A77B64DA8F243CFE88364D6128C5A1E4B2A4FDC9F2747F0742588C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.899{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5462815768CC15DCC8A0B387EC891E5,SHA256=BD2A262BDCFF22A3B9B135DA46DEAF056AF82BF5853D7030845A60BEE7CBEAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:32.769{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:32.753{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7054F8B16EFDFB8C0B72773D18A2A7,SHA256=65BF651CEABF1C09B63D61FA8ACB26296A7EED780912EBF762EA0A28223D9D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:32.916{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113A744B4D9FE4756713A4FFEF2FBBBF,SHA256=AF49C4661DC2CD0DE474652EF6E836C3376B13AC85145A3C8CCDC06331556F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:33.910{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69ABE86F04E8582FECBBC586C77170D0,SHA256=028E2B084C73E0C873D69A28F594F54D07CD34AB1C02590DE358D7A7278A89A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:33.935{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA7A0B7413EBB4B8B7C3CBDBD6C28B0,SHA256=AD21B9F2B4F6F66BEC355C723FD3A2AE7D4212581C00071EF336AA9ACDA758A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:30.821{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:33.619{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-9FF8-6124-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000046724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:34.950{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B81E6D5ED71365ABF987AC83508A592,SHA256=C883BF7C6002B79DC5FE819CAAEC744B20372FCD3289755A3D37E13F2718B262,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:32.365{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000046723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.420{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52278-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000046722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.420{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52278-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000046721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:34.519{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD1D7A1EEAA6F7725D70922CCF1BFE1,SHA256=FB2ED659FDF8430EF83E1334F1CCD5B78932EDE45A9E06AB26FCC9EEAC456F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:35.144{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4448FEBBD035FEFD13B33E7CE6C384,SHA256=1AC994B77093240AB62AB772819742D1B7BC13CBAC2FB451D11623CC860995BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:32.032{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52281-false10.0.1.12-8000- 354300x800000000000000046766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.536{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52280-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000046765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.536{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52280-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000046764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.429{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local52279-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000046763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.428{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52279-false10.0.1.14win-dc-391.attackrange.local389ldap 10341000x800000000000000046762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:36.175{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDED73294D71F7C0B6CD16ECBB63BFF,SHA256=2371F27250D89479505C02CAC736F2B24EF941C091B6CD3BB44C779B549E5FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:36.095{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1710632F4FCE80B62036335637666DEF,SHA256=16F2F942AF2AACFF2D0EEED3C707675496ACB04CE171BF88502D1FF141175828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:37.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832E6D04461E590C9351F889E0181C3F,SHA256=FBFC0154B6CFE095F48588A4A074CAFB94A91C7CE354C1C1AACF1AFEBD2D08F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BA99-6124-3709-00000000F001}6332C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-A44E-6124-D004-00000000F001}41606380C:\Windows\Explorer.EXE{80A11F3A-BA99-6124-3709-00000000F001}6332C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000046770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.462{80A11F3A-BA99-6124-3709-00000000F001}6332C:\Program Files\Notepad++\notepad++.exe8.13Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=0D634FDABB6046E5106293972FCBC968,SHA256=40BC229F0708E3608FDF9788E0DD7AC02DFB750D257F7F99CB95A1B3C6FCE9E9,IMPHASH=5962B5A92CD4E6C7B3EAFA149B008211{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000046769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.112{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43832DAD8F9F1395E104BECE6A29DF78,SHA256=DF710DED0F0F911C52708E22D83613BF391833F7C9981C789F81E9A60A1517AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:38.425{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA6F20A9EB0A1BF545D858A16A1077F,SHA256=DEF62112B881306E2E12941D5C0F0C80F41F945876F6ED94FA057C6837F597E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.463{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09F6D627D949A1F2D11E09352E7503D0,SHA256=8DD1E7002E752163757898FDFA912388E2DC64624A9B1F7959636959089CCBD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.294{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-0F00-00000000F001}316C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.294{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.294{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.132{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473FF7D26B4612D800CA34E59A7744F5,SHA256=977E0C7369777B90A4062A5F3F628D2E43027AAF8552AD212AB2F12B1601F972,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:36.740{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:39.660{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF33B6B5B6629332121DCF9BE194EEA,SHA256=8B3B59F39848BE72406A94FC6DAFFDDFEF8FF547A64D9651C78A5677580212AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.598{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52282-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000046790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.598{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52282-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000046789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:39.147{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FFB0C92C553E5065C7E2128FDDA81D,SHA256=A2DBF556AB1DDD5D7089806AD413B6D9F33E0C6B22DD3E68E2B10F8FC2631C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:40.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEC60C49AB61571F1237A95860B63F1,SHA256=FDF60CA60A8FAC8C5DEE02FD8046B420031B96D9CFC943CFD81DC158A59E2066,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.050{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52283-false10.0.1.12-8000- 23542300x800000000000000046792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:40.147{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDB14E802F7526881E29980F6778882,SHA256=98A484E26AF4C656637D993810B36A71CE02B4D341572846980C7B1725CE6B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:41.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BD75B344A269AEB5D64381246206A1,SHA256=97149DC204BB00AAE1C370530F798AC8F0AF8E7A2186BEACD488A74FCD4D7DFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.220{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.220{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.220{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF681013.TMPMD5=F3B490DAC4F6242A92DAE36D8B06AA0A,SHA256=AD4FE838909BB32367C28FCFAAD2E22EC59B55E1C3096D867F0192771CDE6048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.151{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEB6FB1D4B21AE01A8EAA0AB57C1788,SHA256=FB6D5582C96BF22419A211E05405FA77755D5D060DE6E4DE20A66A48C87456E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:42.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5D146104A94E7CBB74F8D6DAC4C7B3,SHA256=3345235BB9364B9D75E075EFC788B6DB4F8267285608CFBDD517BCEF90313D63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:42.198{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:42.167{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43268C56DF5FCFEABA2E6CBC5BB6A36,SHA256=79B24842C2901B3C47F3D3926FDC421EB66A6E566AB9D1CF15566647207E3A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:43.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0293BD195CE68ECB5FF59DAA2E67BEC,SHA256=6960B74BBC5E2861479FEED9227CEBD9EE18A4F8DECB6750486B6BA8E21C939F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:43.513{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A44D-6124-C304-00000000F001}4848C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:43.513{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFC-6124-0C00-00000000F001}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:43.182{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9708F41C655B74F41DA694B6B7E5AC77,SHA256=4A6EE54B1992F96D5138C399241DB0BE99379D5A39FFA6504D304DE251184727,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:41.756{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:44.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4172AE38C43C8A618BA9BB9718FE0E,SHA256=6CB18249EDDEA542531376196EDC79E72D3C3102188AF4A4718F878E0AF9954A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:44.196{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44D62146AA1B15EE3FED2FA6CD52CD4,SHA256=AB60BB687AFE072ACF514F42C367ED45C52109E26A65A62EA5E1B3F761CC0836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:45.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608B8630F2CA731812E6DCB83BFB5945,SHA256=6E7C408ED485000966325A81ED7A7FDFD1061739D9DA9C154211503954738259,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:42.153{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52284-false10.0.1.12-8000- 23542300x800000000000000046806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:45.364{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F098465E378D19A3D3EE3235A7C9B748,SHA256=9A9C902E48E018984C63597507EB23F95215ECA10C71FD475F0755390F971277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:45.364{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FC2FCDC597769B2EA98926A11F235E0,SHA256=5BA02BED5EE542E9454166DCFB1AEA12E536E4CC106C199B7793984622F93101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:45.213{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A440D32E6B0724B35A2C79C7E427496D,SHA256=22B669D34EB906B4807AD04818CB0FE804C72583F3A795D1CCDEBCD12C1CE778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:46.707{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878A5C0847F174CE3C246692F579338D,SHA256=D73087AF79E7F173220BD9026CD36ACD3B9D8FB5026783F5A8DCE377BDE33908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:46.231{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43F0F5AF25CD60FB23BA188FD83E387,SHA256=7FCB864286CF17A9D951872F3FD1F1C0718957C4878082D4A41DF9CAA825B073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:47.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF99FD3AAF8A0F5135C7C7E6AF7BE82,SHA256=70B7EE6C7704F804E7C30EE01F9CE4120832430C3A7DFA7E694D90DFAC57176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:47.246{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CEC3923BC066762CE95AD8707B1581,SHA256=56315BE565B196C7EDDAA6FBBD9AFFCF62199368E37A5B652E46F2B5C10288B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:48.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7EEA649475976BC7746635A4988144,SHA256=923DD2423E865BDF0541D0C09E96AC28E5CFD8684029EF972113A95C518B2036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:48.261{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEB07B951CED8A89B954E627B7694F6,SHA256=E1FAB223E5C87E25911A1EFB3C818BA0B3DC65030E345C2814EB0F124661652C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:49.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E631D270B815F4F3772C8D369C4C96F9,SHA256=9F55A1FD52CA74AF65DCFBFEC0E39759DEE077892781F619FE0232C5E7991388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:49.291{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6495C709E4A629F01D12EED432AD00DA,SHA256=B1654FD2C0FE11706B3A62EB3B2CC844ADEF5C0A788F5B23BCEC88B2FFA0AC8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:47.787{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:50.804{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E5121183CBEA381EB82C73A59C1D3363,SHA256=6615123E9BA4C6E5B72A5216EA156DCC41099C32204B0EE5A2C48A722C449133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:50.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF39768EEA6F3C1832BB3B80F904C939,SHA256=63302BAB3199A0D97F75B41F3641F49D247D93BFBCE61C37E9D4776986CF454E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:50.328{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E83C3EAF7BC713148E9D1E5FC84F4BD,SHA256=7B4C48CA9F2657FC8118879C7045AC368F5D67D6DC49DD2C1BF6A253B0591760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:51.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED72A5521D5D02168E3F7C280208ABB9,SHA256=2A1815B04A57C5CBE30FE16FF83E19112A51395AA934ACDD4D69A728DC6A7EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:51.343{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B6C94F85E78AF31CD77F09AAC93412,SHA256=7A2CAB1F2975F53FFBC53FCEB281AA1EF9B188D5E9306AE82BEFADA406757D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:51.111{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:52.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E2399728B6D2A839772CEE8B2E53A8,SHA256=2E721F05D420223F06CB012A9AFE1FD707AA53C4D7991B24E74599F94C68D177,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:49.010{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52286-false10.0.1.12-8089- 354300x800000000000000046823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:48.079{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52285-false10.0.1.12-8000- 10341000x800000000000000046822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.443{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.443{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.443{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.358{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762959E57B406EAAA844B1A7C6ABD96E,SHA256=ADED97BB21119AA21630545EDB4FC90FB8E4AAF94D87252096FC8929513DBDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:53.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A0C6DB210F323CD2965AEC6A23E709,SHA256=A00E81DC8DD5EB71552F17C609231C8C221489FFE34C9D57919E6E51C1A37570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.373{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1635D94959D36CEF5E4506E1801B4143,SHA256=6F2A3CD89F4A81ABDC04CE32E2EB890E987D73FFAEC43069A58A30DCD43DE344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.142{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.142{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.142{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:54.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0F37FCEE1655F6922F736FC6390358,SHA256=1FFD495F5A07AF48F98C81FEB048F17666194AD7CBE84D94FA05E624722136C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:54.389{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D9CAA5B25533121EF88C60F777A630,SHA256=B7653CACA5C484D06ACCA867B8F53CD9880ABAD69F8849E893855F5B5FFBE224,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:52.823{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:55.961{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F067381632B094DF63B2B6BE457CCE4B,SHA256=7AFE10C70AC01849EE76AA9B4EFD415DD852F55EAD450DE39924FF0A4BD364B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:55.392{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A915DA724F45E5660E05283463021B62,SHA256=E3B17757E191B90857BE63D242B410824A242E4102A45B208F9BF4A6ECEF62CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:56.410{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351FD53ABE1D4497BA77E30189A90D29,SHA256=4D37EAC30A5E18C5CC894A1ECD0568B28246419411B39FA1DBEC54A9524AD11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:57.148{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF843FED94F3975E1207983EAF7871D,SHA256=0246DC7DC846C743E05E10510DBE6DF0C8BECE82F414780A6BDE3D3B920567D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:57.429{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DD87B73021C904CB8F5B1FEA64A0EE,SHA256=62C68A24FE6256F0F37FA543EA263EA1E53763BD79013B80E7BA7A20E37FE00D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.149{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52287-false10.0.1.12-8000- 23542300x800000000000000026190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:58.367{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8495688026B421070EA94378B8F922,SHA256=FBBCA5D11364E82C97FAEBBA6A2563386E7803D62010174F8F125D6753CD9488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.445{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A954F9101B9C736AD092CA0E4B2BE94C,SHA256=6FEB905784023BE1B58C3B960C583B608E9EFA7E787FE02AFC4AE2B774A292E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.260{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.260{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.260{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:59.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DCAD4D9A09CA946B040E32496C69F,SHA256=2AC7F9058036D5CBEB581DD2E3440AE96BC3782FAFA4412D969FB3AF795D0534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:59.460{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45149EF4A6324AFE717FD38BD01415BD,SHA256=A0872530DE601B97C0C6928862AFAFF72EB229A40765466B00E362868A72760C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:00.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD31BFB3E0BD2FC30C58DE90DC2F30,SHA256=0637880AA349CC7340E72228CBFF62404CC4330CBF488FD5D62A140E30BD8FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:00.491{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485A8089486264F0E88D59A3FB34DAA3,SHA256=2C59AEC861B23DD510D04A3A452EA2ADBE365CC57B11CCED8795703DE9C97963,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:58.667{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:01.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D71B089918A852BEE201D0C2B8345A,SHA256=A0666D74BAE8FC3580AAA41ABF12E31C88E1C112A45F76083E9ADA0ADDDF9918,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.498{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECD9F7581B333513797B67BCEE0F007,SHA256=D0DD761E656076DB6D11CB2CF17CDFF613CFF2ABC3CFEF29E1B516A92A7AF6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:02.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6A2B0DD856530B78C24735A456FECA,SHA256=AF05A3AF43622EE26D39C79E5BD727EF1DE288D04F114C8D99EAF1A80E4FC512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:02.535{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39FD48A96A6A94D05D792729AFC1779,SHA256=812B43E46E4371EF68B1BB65486D229757BAF4A8380F193B11BEFC2DF9179906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:03.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520506AD590AF7ABB94A2DED53EFFDBD,SHA256=E4FA0A9E80F7A7DC734B48E95475A255F4E388FFB72E91A4953C82B4DCA0B441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:03.535{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509CE999F44D5B8585BC043B0A7BA7E6,SHA256=D50CEEBFA1CD6ABE1237F43CBEE7181572BF46D3C79ACBAF1F7F1627BA263ED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.972{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52288-false10.0.1.12-8000- 23542300x800000000000000026197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:04.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A693E5E6CC8663D6B605D6A2310A183,SHA256=7ED9C04D65206038A8B88CFB9327A606DF187EF33FCF63833C15002E2D9C1AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:04.550{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E5CAA9AE020E866F196CB0F6EE5972,SHA256=291F847FFB24D888E84D913305F23E2ED201E572AAB9DD46E7133D4AE8A578D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:03.792{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:05.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0D45FD26528A92DFE2B5EECEEBABEC,SHA256=68FFB0BE774031FB109F9BE4D5E82E429CC2E03CE0B21441F31BDE0C636CA026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:05.550{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90395AF5965E68AE0A2E69C2CE486C4A,SHA256=AC340D6EACF12F9B384A2FB43F1F00603AF9BD375DB2A2518FA9C008D8A422DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:06.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62687C7ED2D5CA93C231B95A7CE77F83,SHA256=BBC081A177E7326AC6FA6175FD1165BA85DD85F091E79A827850972986F0107C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:06.565{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F26AFE55239E1D41689DE554918B0B0,SHA256=24DE214FD52C366C5FA1E8D32637D16D2F0F17E0DFAEF7ACF8184EBC67D236AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.852{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D092A1F10EEB1CBE10A22546DECA10,SHA256=F9F3D2634D5CAD2CE48BAE68352A2ED3B26225FAA1BB4D564367F4AE24ADDC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:07.580{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FA3633DA3BDEAA428CA4E4E6F2E450,SHA256=C74E11AF71BEF072754781DC3C85BC2456A35949AE07B4002A3EB9C2D33E6CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:08.595{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0F985F86C28188BDB421E42F8F4B5,SHA256=4B2AA0975CCF302BA07FDA61805CFED6DCC58CE0CD7088DD788BDFA6F6DCD9CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026227Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026226Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026225Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026224Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.352{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:08.432{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5C6-6124-9906-00000000F001}2484C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:08.332{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FCAE3CBAA65EE89D363ACC5E7D2C06CA,SHA256=CD24C4F4B673DD9B29388BCC0DDE72D59BF10DB5DBB7C44DA3B521E1D43A6FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:09.613{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CE0360F980F17E5644BB5771531CCF,SHA256=6B93FB403EC290A3D23D2D7FB475C405FE0EE54791876D9D54E58257B1C06FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026244Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.211{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8926F10072BB02E524719255458C3E24,SHA256=D29F76372CAE693E4B1C52E06D0E79688A781D6CF89DB10E53FECB2D59C8BDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026243Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.211{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C1F648D988651FDF90484D9943DBB2E,SHA256=653A75A4E448AC32A8ACC77154D2F50D7CFB6EB51869ADE166EA66E63326D149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.211{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282DD81ABED4C5A883287B8AA48393AF,SHA256=5594693AA1173A0499C5439406C1AFD9248CECD674AD126A4B6DB22D67915BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.179{D371C250-BAB9-6124-A306-00000000F101}1908716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026233Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026232Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026231Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026230Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026229Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026228Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.024{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:05.017{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52289-false10.0.1.12-8000- 23542300x800000000000000046860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:10.631{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC843B53745F566585115E9BE36E87E0,SHA256=054D30A528BA70DC81DA358D8819BDBE268767DA968D377F0A3E33F9F2D40CA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.200{D371C250-BABA-6124-A406-00000000F101}6841080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.059{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8926F10072BB02E524719255458C3E24,SHA256=D29F76372CAE693E4B1C52E06D0E79688A781D6CF89DB10E53FECB2D59C8BDBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026252Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026251Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026250Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026249Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026248Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026247Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026246Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026245Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.028{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D8A8FB75123A211EFE5546F80FD279,SHA256=3D7A5F7A902A61072DA216101EFBA88A0EAACA3544101833F355287C5BE3CC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:11.646{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B15402AD3029DB79D34512E7B83D8F3,SHA256=711BD93AC00DB54498415F5F575B3C98C85117CBFEA3A4925D40816CE28E7DD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.965{D371C250-BABB-6124-A606-00000000F101}19241652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.841{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.797{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.497{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CAB7C61EC7D410BE9D62C3A897CF14,SHA256=C1FF4A120E28170603F46C65B62E975EA259EC6D963CF6DBCA3768E6FD3B6E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.325{D371C250-BABB-6124-A506-00000000F101}4064300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.170{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026305Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.513{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.356{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A51C3919367CE1A1640663E33F033CBC,SHA256=F9BAAD3306BA0C088A0B63710689F8ACA3D9E0E43E87069E2D50D011E5DC163E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.325{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58187B206D65236D2F3F482E398EAB5F,SHA256=7957AA1EF0F624A9FE3B75EF89588A3B0EC9C43716B87DC8F5A0EA112777F240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.661{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15ED1D2D09291CB1569A7B288B4AE18,SHA256=C98CB4E04580B4252AA2C1EFC2B89DEB36181E323148370D710DD9F51EE79893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026307Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:13.653{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3375CA12D70540A338ACD1270A52AFC,SHA256=F08AC72100F8EF2A7F24272BE958F5685C1A3AD166BF53491AD659F71B7F4705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026306Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:13.559{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B5458645DC4AD3AC2E5B4235122B1E,SHA256=A9F75717BDA0CED95F9154706E6248810180105703B4D50456EF66D9ABACEAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:13.662{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AF02F0DA3F742D09DF00D2FDD8434B,SHA256=B1C8A6F831EB0F3BFC4D824B09B2C47210796AF665F458CFE5950C41218C03B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026308Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:14.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1989252583601D85801684F4FFFA91A5,SHA256=6A5553F7579E6227933AF097E444472AFECD4CC480F1BE8EE47BFDB8261C6F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:14.666{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-110MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:14.665{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D66E49F10463E865A0F15CB5F930636,SHA256=4B014288CEB6D8BCA1D544E1832D87F7BC97BB51A9A7E0C5A4C600D78DBC7C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:11.050{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52290-false10.0.1.12-8000- 23542300x800000000000000026309Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:15.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDDDDB47E540997998CACEC866907BC,SHA256=D974E5DA7BD6906D1004EE04D54D04E44E5BAA8592DC2B2265CBA5E0BBC70F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:15.692{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A9071C705F83840B8FE4C72E5FA9B3,SHA256=8B20F6F29C079B59D8B700AA6BF91FAD808AB0616B50B2368339227985706173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:15.676{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026310Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:16.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8A650D62D6DDC216827C26003776B7,SHA256=74A2AD79602FEDA19D47DBACD13124E8EA76D3C1C48E63444DA0A931822C35CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.935{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=8611C7DCC73335D5F35E6DBE4A92F1EA,SHA256=BE69212FB89CFF7A0F421A64EECC26DA8E6A34DE8870F7C93C68641430C30875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.919{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.916{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EB06D43CDA7D056738875F2F1D6A8A2F,SHA256=3F2B6F3F6284575567861DCC5C9728F1FE21F0ED7907E84DFAC031DEB21714F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.835{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.704{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757A02D6E551EBECDE549778770F10B3,SHA256=E2732E4FFA0143E6578BD05D381AE6DA632FD54A6D7FE7E99A0450C04533607D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.944{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52291-false142.250.185.74fra16s48-in-f10.1e100.net443https 354300x800000000000000046877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.943{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63156- 354300x800000000000000046876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.940{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63805- 10341000x800000000000000046875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.437{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.437{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.437{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.431{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.430{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.430{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.430{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026311Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:17.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95DB8BEAA32B337AFDA5F495BAC7FE8,SHA256=F92667CB779DC004BF9D2A49531D68BF2FC2E85C50D62B0B22DF88E89B4AB655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.781{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.750{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9135DF3E27F86FC30CF6B00BC6242D6D,SHA256=F476E0C07A6F0A762BB5DF6EC7FD3A8A76215BB8D4995D0149E78D33BB440A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.266{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=510DBE6F67223DC5455E6E4154A5ABA1,SHA256=EAE14BE97AEE2D07A23A3873E18A3B36C7B418FB5F7C246D3C545A3DE694CE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=74B40F273A6747E9CE65CCBF8271C07D,SHA256=FB4D70D21CBA8D7CB9007D65FA14CD3C9B1174E1C021EEF0E6AADF9ECDBF137C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=2B389398AA165211D3266E5FCE7C4A1B,SHA256=D03AED95539ACF458EB2DCFAE019EE36FE15032E585CCE3E27AE6F9C2CE81CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=770D1830F8D6205E2C4F4803B793ED47,SHA256=F60ADE0662A50F1FD8DB63072A7334A25B65F787BCB5919D48F5553815DD786A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=A22E116730EDC7AF2CCA43F01ED2287B,SHA256=8ABFC97A9A054898114283D995C9CE64B117E7F0341E41A59684A307F14DA4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=3618696D4E539F97562A79C98543C1CD,SHA256=6A36AC5E5DD100E661DA8D21E24D4EE9A7F8CBD790B582751AC58AE747372192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=431A9D7F2CDFEAC0470A064901787C16,SHA256=2A5C6A47A86FD3D1FC267C287D10236BA97349083E7DFA67022AA99FF126BA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=D4EC42A09329AF85B3C9A1C00EA2B908,SHA256=A3F3F2349DE8CA75AD8A464731DC17802A0DDD34BB1E3D4FAE83A674DB613CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=1904311EF938B38EA7286C04E0773792,SHA256=DF82CCF876F410906794D4550BA321E1D0C8A8B4D046F7EC9410F4468ED90820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6F90EE486376D8D22944680ED981EB80,SHA256=321B50CBC800A672FB772996AD18BCA58CD971CB9BAA5E6F27276E03F2A6096F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=713A3C671D0E280B658BC33DDC56E1CD,SHA256=CB26025327E8A58B72ECBE701CBA7EF8832E51D2B3D7BBDD4D8441C0D4DE52B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=940D49C2027032F10D191E88B950C7E9,SHA256=662DBE996E0AA0682231C7A02C5A60A499BD3EB09BF23DDFBD122F9110CF38C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EB06D43CDA7D056738875F2F1D6A8A2F,SHA256=3F2B6F3F6284575567861DCC5C9728F1FE21F0ED7907E84DFAC031DEB21714F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=39A3589F1553EE3991626D7454F6997B,SHA256=DE68F288FF96C7E6A4CCBBB512EE67A799DE1355E5818EF9453079271299FFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=8611C7DCC73335D5F35E6DBE4A92F1EA,SHA256=BE69212FB89CFF7A0F421A64EECC26DA8E6A34DE8870F7C93C68641430C30875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=34C9FC8C4EE2F9EF3E5ADB863BCAEFEF,SHA256=A2C2674C2C8C82D7AEEB14CA206B4D3FA50BAD43FB641F914A259B1F8A81D782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=E8DB97E59B48EEDC75D871F57B7F2414,SHA256=E51F34F4335BD9546678DCE6622EEF52097D9719A710178D111B83312DF11F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.119{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=29713F87D69535E52AEC43161F0DCA6C,SHA256=80DD05D04AD181097B98DDAF70F21A9F8527666FE5B759A2563D19895C2E360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.119{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5F83B0D6BA161602017AC27A96F3705B,SHA256=DB679CA27EE3FD9899E5DEF0384A3722FD19F4A23D8F35CDE1F3482E9642886E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=D3C79EEBD1FBF04B25D7E0D89796A366,SHA256=77CBCDF1F4FBF279888EF690AB6537A37271904F49F10A6B547B50CFB0A04A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1122B8CAA1EE6AFCC8D9C705810B59DA,SHA256=389FB0D336133EEE3F98D97A725786A1191EE0E2BE2AE16458198724EB16DAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0A118F84489D0336500BA7AA28EEC3DB,SHA256=80CDBD62FAC86A30E13F3CAA31D8DC1BBFA458FF093CA3113DCF17FA09204493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=7108E87CAD9A9187F04E0DB62EE11BA2,SHA256=D3E981266944DC3516502147A13554BB1F413120FFB119EF7191073704AEBDE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=12C155DD5E881352A0ACA1597315E4B4,SHA256=5EFE168A26228F9557DB8EEF6F128E6F2BC3CFCDBAAC5F1E54CA97980170DD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E03E73D5F6ECD4CD32C3DC29D718D0CD,SHA256=E0EECABA3B9EF2ED989A88F166FBD18E87DCAE59C51EC0C8615EB181CDBD6875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=9029D6F8F6B542F8CC8BED031A868332,SHA256=B779ED2DDA6A823FC2E108105D90A5012357F0082973C164F86D95AED6E16573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=98E577C148A61351966CCDC96A865C91,SHA256=2A6127C1960DFB83F8F6D0B6EF099120B1BD858E432B56E7CA14F34B6986D989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=3A16652F3D7E909EEFB688780FB23DFB,SHA256=77E575221C7FB694A4D9FD39B1563AF193D1A6AF22C18DCFC77BB992B19B2BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E4AD5A04A5C7E1E2D01F8AD2F766BB15,SHA256=59DBC09166E7BA59B5CB02DF109991B71AD70418BA45595A9536A4758A630226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.051{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=29713F87D69535E52AEC43161F0DCA6C,SHA256=80DD05D04AD181097B98DDAF70F21A9F8527666FE5B759A2563D19895C2E360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.051{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:18.815{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D51085FCA4C0DD24C2149D593A071BA,SHA256=469608F682289FF02210B5619C64552CE299CC12001F15B85B93B49DF4CBA82C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026312Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:15.797{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:19.992{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E8022476633900B079BD54AD5AC165,SHA256=026B5A8E7B98E18F415411FE091FEC23FD3E610A5332F221025C8530B1B14295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026313Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:19.012{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B44B02B145A6454393F0FE8696DF807,SHA256=596825A34B0CA248B2B10785F0EE1ABA14BFC07DED84CE06B904FF6835F29926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026314Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:20.231{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B9DE3CD2764AF395A49ACDDF702F17,SHA256=11ACF5D59C7AD2ADD7588F5ACAA0C0E3CD9ED4D220290BD7555F96C44B998020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:20.611{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47054CFDEEB2DE6A99048B8D8D232DCC,SHA256=D84FDD359ABA532FAE961A54CDDF09326F0DB55D97D4E070DF56E07D00A5B2E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.087{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52292-false10.0.1.12-8000- 23542300x800000000000000046936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:20.026{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E137452E2A8089D0A5639500C8C04D3,SHA256=22E00A66FF75BCC84A942B9F4758AD24A380735954933FB7012C889918B744EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:21.465{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AEC5927D7B230D9C7B481855449E7,SHA256=E281473926EAD3A0A1E73B6A41B80CCEA1D7C943F8A46A2E71D0B2ED45F3FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:21.013{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4613B13D0B44FD0F5B17B4A813C403,SHA256=1E7A82FCC313D03908CCE2556CF92027DE0500106DEEA94B15F41D78598079B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:22.700{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E6FE9CD045A19F5B99604C76C35B4B,SHA256=D719105126980729714F7B3C4DFFE788772AE05BC7CFE274E80DF6AC5EB120E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:22.047{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCBD83EB13B97D4AEA6A6A6835EB7B7,SHA256=BED720A501D2DA8A12D54126DE0B421F49F513043C7BCBE9D949138A9AE3654E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:23.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC69274C49A858F837CDFE99819970A4,SHA256=FAB8E2EEE59FC34072FC73D7A295C3A8EB42092FB5213DA0909E262A32AF9BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:23.061{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E136F9F1BA40CC6AF4617B4B571660,SHA256=88EB315EE7F6A4469C8FA1785EB3280DA8A42E3CA3BC21B8BA389E0418B18ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:21.687{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:24.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A63FDD6DC2413F44D63DB212D956F02,SHA256=16303F2429CBAA20F3C7B7E0493F4CF0BECB40424ECDB17EAE2F296ABC1D54AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:21.151{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52293-false10.0.1.12-8000- 23542300x800000000000000046942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:24.076{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618AE0D7EA75A5983C41D01C7013BC1C,SHA256=C8AFB21EB4505B0CB3FBE17D49038A9836800DDC0A68CCBFE1735CF1858270E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:25.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DDD7AAB0BC53A6764CEB256F2C3299,SHA256=DC351DAA8D8D46EA88FD434BAD77162F57AEF07BA3B1D911D313376A0097E445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.760{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.091{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14320BF71204AD401831989BF249FC43,SHA256=C360826E8B9D261C94927B856CA70BCC85FCF267C29DB64AC06B033AEC965DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:26.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C290B7024A22B719A92363722602621C,SHA256=47348AFB4AA3057C5F649CE57E650916617790FEE26CFF048C00D45D77D72B22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.914{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.911{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.911{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.907{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.774{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28AB96CA9C75AFDB879BEA1F22EC283,SHA256=DF436E90339497D844C53569F875899F89AC6DDDE2D3D23BFB271C07A55A3CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.774{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F098465E378D19A3D3EE3235A7C9B748,SHA256=9A9C902E48E018984C63597507EB23F95215ECA10C71FD475F0755390F971277,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.290{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.260{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.159{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8195F2753585AF0E4EC18063205E7BD3,SHA256=5599E9A4188E94F4AF2B905CB35D9B022E59154267DFF6D1A7BB3358E68F1581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:27.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A761B20BD2DF7E7217EB4129FE7F3D7E,SHA256=8B867D928108B4A3BED12EA9D50B1A77A5535759B0A06A954EF4A7D10DDBA74F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.995{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.995{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.994{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.912{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28AB96CA9C75AFDB879BEA1F22EC283,SHA256=DF436E90339497D844C53569F875899F89AC6DDDE2D3D23BFB271C07A55A3CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.775{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A676D5E781205E27BC374E71F1D1606,SHA256=7AE8B3DBF039E23565BB6552C17AA8997B0787EE2A1719C363098E97967943E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.360{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DDA2EEE4E0779C2315E74422E8776D4,SHA256=333D79E54BA948091DC7EC4B890B9A43E19BC206D3E02E35887BC973D4046ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.195{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EFDE8790E26D9D562DD2381A559971,SHA256=9A1F62B0FD7F63E2772B4ED6E5BA07F5218F26C5032735138601845F099949D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.121{80A11F3A-BACA-6124-3A09-00000000F001}65282436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:28.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2B2523179AD000DCCAD4F95071194C,SHA256=3C481C68EF1AB880B95BD2659945A4D7EE5494DEB3EB65C9E934FBA7DF653C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.877{80A11F3A-BACC-6124-3C09-00000000F001}68047092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.662{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.246{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AA8C08DFA064C3402979D511734E39,SHA256=692E963CD40EE18B82A55941B6B391C7976447ED7E0DE0BBC4162A5148A81151,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.194{80A11F3A-BACB-6124-3B09-00000000F001}38486292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:29.789{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FEF7A983477DD0CE77CBCFD330245F,SHA256=71C6DA769EBAB0FEFC6D4767CD32688AFD3B17675350DD19A76509585695F88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.925{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA1EC309746F5692D927FDA41CE7DCBC,SHA256=2FEDDE17EEE08D2628A7482BB99BB6BE69D54556162FB93AC6FE5F2523DD54A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.797{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000047007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.749{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000047006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.498{80A11F3A-BACD-6124-3D09-00000000F001}68725864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.298{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.296{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.296{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.294{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.261{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A716ECB4B79559BCE352F3028BE8FDD8,SHA256=C06954E9B24E3CA9101855DDD03180154BB2CBEECE32E43368A92C57FB7E578A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:26.688{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.014{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C353D164C56F5A73D6C6D28FFE3BF1F4,SHA256=0DB85AD8D9DB24930E4E85094EF05B6DAB3FC02D1A248CEF36435751F357C44E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52295-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000047023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52295-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000047022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.167{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52294-false10.0.1.12-8000- 23542300x800000000000000047021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.579{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2E167E5D77B229BE0DFDAC2F45572EE,SHA256=2768501775229235D85288FFB1A39F7FA8C6E162E76970E2B3F069B0CA122072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.317{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF67F6C87EE04447AC75A022ED53BBC,SHA256=85A330774B554698D4FB7DD2DF227060B976BBBEBB4D028F7E4116D73EB4B6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.264{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39385A1BBFD701B7D52BEDCC2F2D58DF,SHA256=0086BABEFCF74744CA342C0C61170479EA23DB80ACA75F3AFBB14BEAF1038288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:30.871{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-103MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:30.791{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F710D62D08A4FB8AB2D0ED75311AB0,SHA256=B625DDDFEE262A4074AB9DCBA8BAF2DACEFEBB261D78679B4B026E32B9CD8678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.064{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA917C44149B3ED78338536343BEA2CF,SHA256=05FEFBE7AE8D6AB1ED26BC996F33ED22CA58FD338684A1D4DA49E2AE4D6042D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:31.885{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:31.806{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669CF7D7343867A7E11FC97F9B3475F1,SHA256=CDC1B58B545A992C14ACD78ED86EB04B47B9F6863106ECE360CC731C4FD95091,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.666{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52299-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.665{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52299-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.656{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63082- 354300x800000000000000047036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.586{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local52298-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000047035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.586{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52298-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000047034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.578{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52297-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.578{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52297-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52296-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x800000000000000047031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52296-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 22542200x800000000000000047030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.664{80A11F3A-B9C0-6124-1809-00000000F001}1796WIN-DC-391.ATTACKRANGE.LOCAL0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000047029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.663{80A11F3A-B9C0-6124-1809-00000000F001}1796_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000047028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.662{80A11F3A-B9C0-6124-1809-00000000F001}1796_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000047027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.659{80A11F3A-9FFB-6124-0B00-00000000F001}632_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\lsass.exe 22542200x800000000000000047026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.659{80A11F3A-9FFB-6124-0B00-00000000F001}632_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\lsass.exe 23542300x800000000000000047025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:31.279{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB19E9929AAEE34D9A186768F224045,SHA256=6635CDC27D6A52BC93A389D2B2D1DB4259D4BF6D101EE53B6EA068FB6F399353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D250B26E79676C0A668DEF0FAA74B36,SHA256=9DBA356FCB57AEA41418ED7D90777223D592EE1FB39112A3B2CA18007AAFF17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.791{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:32.299{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE50FFC80AA0A6E5F75DA02AEB9F306,SHA256=1B102ED115216DB1C92E299BB9ACA04B3160C1726CF8D6A88995DD8385AEFD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:33.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096DAD787DF8F9E27168FB3EC87A3D42,SHA256=CC801C7003F03EFADFF5D158DD2ACDBA9C68119E344CD240A5FE66E3DB60FC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:33.315{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861DA372662C7384E53F6ADCEBE44E90,SHA256=DB6B015BBBA74673D553C58D2C09EA7E3B56EFE7EA5B84D4C5FCE3FEFCA7DB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:34.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ECEB745DF6FF92B6F7A7731DFF6FCB,SHA256=CC681955F6DB906806E0EF5EFACF164540E95A705730130A2277FD72F5C3FD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=25DC5AF073B19827F12ED5F91A78B359,SHA256=1398EFD711A333BD4AB899E0C032F08C1F63C557745D4961AC36F7DFB161E85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5FABA8D1F234D5EF845895C7970993A9,SHA256=27E91E0C98C10D048C76434AB57969EEB7906ECEA6948B2751B49B9D2337A2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=87039F9D58C22A527322D73F124922C4,SHA256=F52B322932F8B94D688C580A16AB13B1AB21419BB3E36AE719A2CF5D7A98BB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=08247C3F614DED9EE94A5DB8443F94EA,SHA256=B7F3099FDFD14C2BB478103DB68A9F3765121582FAB3120FBB2954524CEE9F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=84013BAAC51742F144127BD29A9A0D7C,SHA256=FBACA3A45E45D28167B6E618492E1784C9FEC880D87C2B6FF50E3DC7220B431E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=ADCFF6C9C4D7397F93554F7D75557706,SHA256=24693A50FB1619627D6EDF2B0B38FF5FC17A48FB8660E83F91DE02DB4B3C2667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=373857E56ECCBF8D6E6D123F4F12C62E,SHA256=F11A5D7935EDEB5B5D05B64FA548D60C9B0C3A786AD2E8101AA7423F9F9C709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=412CC20ED191382D7A9CD60AD3E7FDEC,SHA256=8892D3F3DF3B8A6CFD09A6EDDFD4D29A7252752B7F2A3FB1FD3DC0195F8F80C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.330{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA72B51030E6FCC15C53101B3F339FD,SHA256=93C30D362B16957D428B255903E38A20F32B1679A4A60224BA4978631D259ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.654{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000026333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.388{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:35.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEEA04F571C3EF9EEB6D8EC1794CD9D,SHA256=77B56DC91C2CE9AF55755F10AA28F37CDB39F9F08F50D2CC11D79B985A7BF3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:35.345{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98442556ED1A71D0FD731188DB05966,SHA256=7115DFB6072ACCB4424885BDA17F1305F4B4F6F82DB33682BF959B35945D83F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:36.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7F44BDED719336A281528CA5C4BDF4,SHA256=3D1628415348A9B6C3A349512D0DD4F46DB10BFC775F9507B57E85D0D971CE85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:33.182{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52300-false10.0.1.12-8000- 23542300x800000000000000047052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:36.345{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7876703BC8E07C934185298D70F72E68,SHA256=F7CD64CBC49193C137D05189C426B7B63096A050A4D1C7C6466EA0B769EA74A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:37.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA8547C46C19944FACF6DB4ADBD3057,SHA256=5F384ED2BE5094A0349B36A117C5D6ECCD79CF50EBB0D5FEFBCA3AAB8541E2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:37.375{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC966B6EFE41A7A5A8F81078B70EA56,SHA256=EBC9B77E3B0C7A13F7E67460D1918E7E7C5B8F3A1DFD8242614E717BC2BE6B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:38.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7E49A8FA45BD9903F147FFF33E5F33,SHA256=D82CAC0FF816C5C15E22B4577078C709CF7C078D2EB93A5661697B3B5857BD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.711{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46868AC0F0138BD18285FB54894A5BF8,SHA256=8CE4E075974240DEC582617E7595427591D2C16AC23784A27B037CB452942B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.711{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931C50E2FEE90984F9968FD12EC294C2,SHA256=23033FFCF3C09636E56AF0361F15ACF1C4C84B07C482DFA20B455829EDD8302F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.458{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\AlternateServices.txt2021-08-24 07:59:38.155 23542300x800000000000000047058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.458{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\AlternateServices.txtMD5=6D7B289F5EEE191E3BFE55EF41855129,SHA256=FE20DE12566ED7F807737756EF4E6B87E534E3C38031F5DB46052EF15CCF7189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.412{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F8D591E3F9B08303B3FDDBA179A0D0,SHA256=E8A51415BA23AE90A6626E0B9D8BA5AB3C7EFA464BDF7443117D07A3CE94911A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.412{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\SiteSecurityServiceState.txt2021-08-24 07:59:38.087 23542300x800000000000000047055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.412{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\SiteSecurityServiceState.txtMD5=7D19994562DDF7DB67F0BCFE73FCF6BC,SHA256=A169245502FFB7292E88D5445E9776773702B3BC6CDE7E8052A657F31223866B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:37.685{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:39.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B150991E02ADC053696C6FDD7FC9B347,SHA256=52EE30A94E0A210B1149A2F8EADC1291600318AA39092F470DA47AA941D508B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:35.613{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52301-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:35.613{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52301-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:39.442{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C34E9B2BB968466E94A117FF36639A,SHA256=2FC6C65D62C3049D8A6FD3B27D3A4D4A16EBFDA5E0A51935F823F86BA422D909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:40.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F54207D909F65B5CFB51662EAC0DC8,SHA256=07467BF8F94B795BBF70B752FDAEDFABE7F02B7BC8387EAB798242CFAE306273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:40.444{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1202867E4B91E84202F53FDD588B6139,SHA256=2F9951172C9C24590B41312E75A21A64D2DB5874BF3543824F3900076B43C43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:41.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D145FE42920943F3205CF9E880AC586,SHA256=F267E6AAC1DF155549FC9C69117B7A465CFAE55373D120D735042BAA00F1FE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.458{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58C136D7F3524CDCB5738E6708AFB67,SHA256=6F4403A8F1D3FE57109A8E618FE98C0E6DFFA0A2BC9A40842ADAFC48B1C94D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=630A88A5A2DC5444B88E3168B45BF4D9,SHA256=FC9AB29EB5E70397FC87E331E20AE3C18834AA52DBACA0A60B0966153C6A22E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=290207451E901496A969B4717DC52C1A,SHA256=EB13E710295AD7D7A8468B0CEACFB8677EFF611FE90456F0EA2B502A758AA61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=ADE0D591C8BA27E0C45C910F89B27BEC,SHA256=72939E7106449F578CCD6CF7E289D0371251DDC7E0E6C7D2013417FDE005F99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1A9F3C378A26B6024CA78CBCEC0FF70E,SHA256=05CA3A934307FDACF5BFB1B5F12C3E3A4ADF31630829293045E0A5275040E197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B1116B396B212CD3ECBD3EE7C6AED374,SHA256=F569B1891EB5A2056C737EDA1D6DD1AD820243B02E8DB6E1DD3ACE86A2A86130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D218C4956ACA875910C8823F8A3643AE,SHA256=DB1105462EAF49753E2030D6F36BB6EAD60EA8C11B2BB823DE932B6996F6F99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A19800FE03A75719EFF559C5561EC39A,SHA256=29C86382BA44E2EB578B33C12EBC310DEE99435124139D9AF95EA794252EB082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=033F22DCCCC9E91A945F89934DB4C714,SHA256=AE50E2C8C595005228E88B7B4875BD9361A900531695104ABF201F88A376A5D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.934{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52302-false10.0.1.12-8000- 23542300x800000000000000047075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:42.474{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D08BA0C05B0CAC5311E2FD3514D7D1,SHA256=44EDC53AA0F9A06AA637D3F7FB308D7C74EAAC27FEE7EBA483AC6EEBA68C86E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:41.249{D371C250-A1CD-6124-1100-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:3c3a:268e:f5ff:fef0win-host-944546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000026344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:43.150{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C2C7322A8CB1181A614F0C471115B4,SHA256=B24B5EDF75857C0A49666AC8D768FE3643E518D68F3932297F31A2FEC9F6B956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:43.491{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D411682BDE1EB3F4B7776EE822DA0780,SHA256=8EF7DC4965CE81E27E57F4B7EA73236DAA7E56F5599312987F01CD3FD68DEFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:44.385{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731FB88AAE4C385DBDB1A12562FF5259,SHA256=1C92C70CD142B6561F75F44F1D3273890E799CCFCE7D90DE615A5D2986165614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:44.510{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB244C5235156365E6ADC0BD53B7EFA,SHA256=D69F15C13EA96591709620E59738E271D96D6370FEFCE64562F7EC2935088497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:45.619{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39197F58898A2CBDBD4ED741674FB97,SHA256=1E1BC62E9EE3D546D20F151B69D716046E2FC4F458DE08781786AB28E8444AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:45.541{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2683136D7372C374D5485BB58B67F03,SHA256=06B7D5627681C3341881F2B7EB59F5D8A08DBE0A099E7CF6153BDDD465D8FE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:46.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B9C96A7742C56F62C9EE603E822A9B,SHA256=0A975602DF9E2BD9F440B8B9F3BC437D26319B093BB0E9F6776336666D003A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:46.543{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E4B0B2B5E8D0EB28C3D6DB7A464DBC,SHA256=3357754AC104CEDF834997A4734A67A2213A0B63323848CA671BCBAEA2E5D8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:43.685{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:47.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8241A199E8A4F6C3126B4494AF91A2,SHA256=8D2CD0D79AF5477BBCAE2568EC23FAF3297F37DAD60FA1DAA6960C4C6669887C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:44.164{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52303-false10.0.1.12-8000- 23542300x800000000000000047081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:47.557{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DF89BFC8001595B6BBEF2E35A7D7AD,SHA256=BF193DC3F3B76F5ABEB63BE82CE493EA56E583133569152FF77B9618A4FF4089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:48.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E4822A83F9CFBD5E8355FE73027147,SHA256=23D4E80203F69DB85170E4D0554B46FC45EB4E81C282A15135AF33FDDE6E4F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:48.572{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAD1EDA8E1DD8AF08E729FD93F6B824,SHA256=E86E849DA847761F0267DFF861BEB39BBD635A7B9D6378F4E50CE2A8AF234876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:49.572{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0264FC7BF5BE175A45852279BE4AB508,SHA256=941C1A0E6F33FB405FF11EAA58C69ECA7C0A21E8A6E5D9795B78474F137D34B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:50.809{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=84D41EE810AE1415502149324BA96998,SHA256=11CEB6DE00518237877483F237F92F50FBF34B9206C9C83682A25BBAE41555E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:50.043{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871170417D7595F573C9A621336BFD2D,SHA256=CDFEF9E3D7EA55F42AFFD755E9181AE9BF03BD384E076E8312964FEB2EE1BE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:50.590{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BF2DA5F8C4411EDE3794433DC30178,SHA256=FDAB746B0383C46F122F687A58660A0DF5F534A1A7F72BFE133092ACB5B88542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:51.608{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F112180C952A370B44E90C761C15F3,SHA256=B72F663CBCBDD3B4AFE45724819BC2625BFA46C66BB590E2F51722A3504F593C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:49.673{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:51.090{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8555C5761B75603AC9178F113BA2E215,SHA256=9147922886BD9396132BBBA7694EF2477A74562AF61842E4EB95E4A03FED08C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:51.124{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:51.109{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=634908E5F7981C34B05B322668D7C02B,SHA256=E2F930805EEFE498D287DEDEB5F5E584D9752E14774B2258B5EEC02ECBFBDC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:52.639{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4580F16EBE70D74746D9F32D7BFE54,SHA256=C140A7064C7DC7605E00B2EC377FCD3779557B89D2F9DE7BBB29E9860E8CA9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:52.137{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F6B72208DF597F1622A2E81337EFC8,SHA256=D61647A50C0BD7D52E5C745AA32A44EA1A191E411ED98DB047D544F25C2CC303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:53.670{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2119ABB33D5F68DDBE9F1B17E24E3AB2,SHA256=84934A07FEE5607CDEE397C6E0E928FB231DCFA315FD202EBE963B81F279A269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.293{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9165F3F7DA979559BBF92F054BD42ED1,SHA256=EBE5DEF7B939C5CEC0D9F73CF96667A5B5C9534C9CCC54761FFBC124CE7C798C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:49.032{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52304-false10.0.1.12-8089- 10341000x800000000000000026359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.262{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.262{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.262{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:54.418{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4801754F4A0CEA52582385B458828074,SHA256=12FE1EF2764D323862BCCA27AD35A02F1DCCB924AA9478DEB6E87626F19D148D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:54.687{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F1A79718E8FD688A379402BFAEF6A2,SHA256=33FFB1AD29D544F9EDE0FC0B9A25CD938FF3E28479BF6929645CDC2B1A0B22B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:50.112{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52305-false10.0.1.12-8000- 23542300x800000000000000026362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:55.528{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F513012BCCFF7B324BB2AF31753130,SHA256=9AE85312C56C4E255C9A6B19D1D0FAB064C19754A320659708C00E29EBBE7F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:55.706{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B732C49CD8E1CF430B74254AB9EE04,SHA256=F109DD88A8F822E8A70A58B55FD5E1144C1F6A1B001DC694F9FDC751AD45A7AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:56.653{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCFC63D60D11DFECE2E1919F46223BB,SHA256=2B131073E2C59849C8BBF2B3212B2459C8D027364A24172C7F82BE32D7735AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.736{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F7A090B8213582BF942FB9F4A51362,SHA256=17825D904F56BC64294F52D683A9A020B197A3A58C1CEEE2D723E9107DC2D68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E2D4594DDA6FA619060A81816B95BD8B,SHA256=3BCE92152BA34D27499D3217318DEB10020BD0FE0B77786CBF4F5AC035D60C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5633F2C5047274EB60F6C26B0233381A,SHA256=DB16BDE6D989E6B99122322169E7705EA330DC879F8F5BB983C4BC16EC98376E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=7E49D3C0CCE63E09DB3C5D08C92DA9B0,SHA256=99193EFAD84165CB94323DD5C6DF8F56386EAE0D16523AFC754197B38ECCAE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=CBB3027E6157872F3F5455A4AB4857A3,SHA256=E57CAAEAF3022C7DA27B1AAB2C914D28DD75A22A6754CF22D7236E7720D10062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.188{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=F72B3DE04C18C30AE0823D0183578EEA,SHA256=09291B918398D42C69DF1B2C48FAD274DD0847D9B480A3AE1EFD055220E2DB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.187{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B98788506C8995CDF592F7A14514BE93,SHA256=B1CF396E058E6938C6F744CEB0E3A4303B9E155CACB151A81AB4B1940165EB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.186{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=45512C6E1C764A56FEC661CB7705E92D,SHA256=1AA642C368C418B20B66C146F518996B9D242B6C007E6E2E68099766A9D05149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.184{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=610CE8203617272B8FCE6C423C2CBBE6,SHA256=DA4EF4BBE5B55986A85779F0A096173AC850819783BBB0AB0128FC0E00F34F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:57.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8434A24B1527D4F8504CF90B28197DA9,SHA256=1A32CE65257FB4A2C8986BE62C956346CA476731FDDEA7D8A40BF2632BF0A78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:57.767{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6213120FEF9D33EB9ADEAB7A47FF6A0B,SHA256=F5B6DBC13406DD8DD851FCE72EA25425812207021DD7C8DEAF0C7BAEB20E1864,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:55.657{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:58.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAE8544900C5DE9EB0E332825A20822,SHA256=0BD118A611CD1B9692993A42F9EA7D5383D9278A281FA3B1D44689AD26EAAA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:58.768{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C95461E55B57042C6A392CAE0D247B,SHA256=C6E4CAE6524AD896B12D3021D67A0DDC4A73494A3BFB89DB5025D68BEFF82D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:59.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB53EFD3B317F33D776ECDD477F06E6E,SHA256=C54292683021666DEB8F4A66B70F040107093B86C59E10BBF5DB5598C5839317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:59.777{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795EE86BCE6E91C9A7F6A983B0E12F4E,SHA256=F12EF9A35982C8CA611C41028C23EF9C0ED27A7609DBA4986D0D2A8F97F05A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:00.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935EECDDBBDDD2D468B158A3B58932C8,SHA256=A3B4213BF821F283059CB54F7F77298810AA452B7D3275CC2ABFF207A10FCF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:00.794{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C940B4BA848D57DBB9D06F8034376D4F,SHA256=25D595E0D75819C7AE2A07A4365345012539E5ADE13398433BCF54364D815CFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.074{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52306-false10.0.1.12-8000- 23542300x800000000000000047109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:01.814{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADB3BB1DD6707D9DA2ABA7E3671EC71,SHA256=929031C4981A62E5BEF7B61C618C8373728A06F86DED2A650A66868EFF625623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:02.829{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7D1931E809C5DFFFFA93823A91EC76,SHA256=1B9E56A306CD0BDBD239C9036FECADBCF7DED30D04B474C4A3280126ABD112E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:02.043{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296E8C7847BB113A5EAE86A3D926061A,SHA256=0B45CC2F3DBFBF713094E43F23AA8FE2C7C31AD497BE32D52A729CD669AB8353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:03.844{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16734950EDCBD9D8B17968CF4CF993D,SHA256=6AAEC1F15C57B4C7F2435C60E0FBF83219F59592A3938EC84A631976F405A401,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026380Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000026379Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00623af9) 13241300x800000000000000026378Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x896b5edd) 13241300x800000000000000026377Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xeb2fc6dd) 13241300x800000000000000026376Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x4cf42edd) 13241300x800000000000000026375Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000026374Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00623af9) 13241300x800000000000000026373Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x896b5edd) 13241300x800000000000000026372Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xeb2fc6dd) 13241300x800000000000000026371Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x4cf42edd) 23542300x800000000000000026370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:03.122{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C269E22363EAD0AEF40858D0058B7C,SHA256=E04C4C8E4D10B5ECFFD1938BA76469826885C3485A6E1A899BC63BBB080487CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:04.859{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA108BF92CDBFA5300FE7A428C9171CC,SHA256=500B31780012390469C53B78795ED5BBE94451E4998183B3B498D43D6CDBA86B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:01.641{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:04.356{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62F49B07322F29897A3F4F3EE6B7E18,SHA256=D24D550605D3F8B14DC32BE36C77B8F1539F96118D4F1CF6F4387223DFA69578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:05.859{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B24A54A6D0EFC91CD9A84C41961EA1,SHA256=3AF4A5441712782EEE80B417AB59BF4DB085B13B73DD9AEF300D2C81BC25134B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:05.372{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC00A6751565A2FA304CDDC93AD11221,SHA256=4A6B7484E382BEEF55F7EF190A1E0CADC37326F90ED3C83654A20EE123B1DE29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:01.152{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52307-false10.0.1.12-8000- 23542300x800000000000000047115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:06.861{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561948A944A9C41D0B6D221322D8C4A4,SHA256=2D9B3B7D28712FBB835931CF9ADDAD582F22EFB86E7E5D8C257F858C8E573250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:06.418{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B015C6F42248EF85FEE40C5EBA840F44,SHA256=6DC060635433391BDDCCD74A9E902207F43A82E74A67CBA107CA17AF2DFDDF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:07.862{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69C5CEAC79A5E209C038AC86B613F6D,SHA256=F1889DEDDABB92C2E93C3F3131CF15FD64AE8A76EC6A41B01FE489032AFE4849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.528{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6674022B118EA32757EBFB76525905D0,SHA256=E29A22D2D04A8AC8EC76F6BE21033BB8E3B05A70130871AF24AB1D9E4BF72ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9BFC4FA93C2DA4F8B9782C552AE83E,SHA256=DF58457B15AF0CA47CF7689798F6BA809373292E5EA2C0CBF7FC38298510DE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:08.863{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B3A6385C2C122DF6C39F3282F220D0,SHA256=95CD59C89C1AB54248434A1630522FE6D5F863E8B6F0EE187266FD7DD71FD2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:08.331{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A7AE611958BC170D8F9AD18A8BAFDF33,SHA256=AFDD69C319EDE7AEBFD5ACCFEAF2521043374487183E921A136CA5A7B1E78216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.544{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.092{D371C250-BAF3-6124-A806-00000000F101}8243324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BE72518882215A3144DB4FA10DD3BF,SHA256=F6C4CD5F7E369089F9E3D9A8ABE12846C0A271312EE6C8E1819F7E47F41F69B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:09.878{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DA049FD768B66F58851DC7D09D8907,SHA256=8DAA2DD549CEE32F5CE6F7F79D927C6F97A515AAE9BB3C13E6E729FC99409189,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:06.704{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.106{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17652426DD274E60B5BE6263660AA39,SHA256=3C69CA7D34626509B402BA893C73144734CD1761D355FD08DA5DA1EB4F2C046B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.106{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6AD61FBD5F4B38E2346C1FE32923CB5,SHA256=DCC525FF8C9D20C742A1297544AE7611C7F8E5DA39073180937BC294B308C074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026414Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.044{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893DC2DA75EB96FAC9D6C31EB36EF28,SHA256=A45336D4DE81828BDF800063774FDFFC9E804324880C69F096A8312461B4B246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:10.897{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA85090FC3B1407A2C4AE1B8AE3D8850,SHA256=65A2FB279248D5244DC614C0934E5DB8FBF5A2D17206A804A8ACB881A92CE3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.220{D371C250-BAF6-6124-AB06-00000000F101}3316352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.049{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:07.017{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52308-false10.0.1.12-8000- 23542300x800000000000000047130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.916{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAA0DDB338ECB4EB7E014F8246F6CB1,SHA256=0EEE6FF52120AE47516A7C418EEAFEA9F8FA36DC146849697704B13A984C74C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026475Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.986{D371C250-BAF7-6124-AD06-00000000F101}34682424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026474Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.846{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AE8972EA2EF2B6E75639AC6AA1D673,SHA256=2A31896E398BC8BAE0A3AA376633E1A52FF3911A93DBE9B94F767AC181424334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.345{D371C250-BAF7-6124-AC06-00000000F101}20042072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.174{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.111{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17652426DD274E60B5BE6263660AA39,SHA256=3C69CA7D34626509B402BA893C73144734CD1761D355FD08DA5DA1EB4F2C046B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1DC5A43C92C0639AF055F74AB9559D0A,SHA256=1A676252074BBF298DB3E5429C4E2FB95BB34CFBF9B1E03DBF2F0E2F7174D50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D6A0A7CCF3A12E91E024DC7DC94F7EFA,SHA256=C9261A5D3A29AEDDCD09FCEF7FCE48C5C5D8E68C0C7EAD0FC458A76B2C1C44B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=74B9AA6368489CECB546A2FAB4D7EA95,SHA256=4419DE8679FCE057A64AB0D66FE5692CA5AC761203E033A7C17DAF74690D49C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5DB3120E9F15FB94AF1109D333B0E069,SHA256=0CDCEFF14D7DA3991E9695878988BC822FDD1CD4C748658C8AF1D2EB92EFB9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1160D66B9D5924C4F26AF3D6D6867D5E,SHA256=DFFB79248637F4025267824244187E80CE8D20B71ECE86B6B76FF62592FF1086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A1E4ED1AE72BB165A9FD923478FD2578,SHA256=8BF7A8D18D524CD7F30B0FE7507BEBEFA6EDD6D8CDC93A3CD9C693231801BA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=30F6A2E6AF47454DF85798203912367C,SHA256=5C02496D7D07DBEB3AF55ABEFB19F66A216A6397C53951FB02426E65AD102068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1EB2BE1CE55EC1B516D8843536242F2D,SHA256=8E89739FA00F0315C6E4CAAEE3167EF5FD6A3671E6EE82EA05CBE9BAA767354E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:12.930{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C93DD3822D8F7AC529F336006565C94,SHA256=FC00523DCA55E08C7C0E23B08D780E754CE5BF813481D7AAD4D6A64C69B221E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.939{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197E85B8FE1767341C34EBE7B3B22D04,SHA256=1296B72FF0B112D652E3424C26D68E2F061849FE00C457D2C8E0B1A07325A10C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026482Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026481Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026480Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026479Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026478Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026477Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.518{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026476Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.173{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0613BC3277F4C46E4F6DAFD3B71DCADE,SHA256=A6AEF1D91C8E2C1618649C35DCD1963CDE52D9BAA35FAD31286382CD49077BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:13.946{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B9BB447167246FDF0FE6C62816E681,SHA256=A312027C76B09BC0E667AA7B99B7ADDA7DEAE285CD0820EE0262A237AA4B7FDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.740{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:13.626{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39595E3F70E5980DEC0B486C130633D5,SHA256=BE749E600C10CA24CC02BB176D9817F41FCD24745802CC7376E550AE372EAF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:14.961{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DB7B2AEEDC3460F278635E61C63831,SHA256=C9D41CFB3583EC5AD1429E77E3ADFFE99786FEA0A6E87AB6E5D53A373D302862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:14.142{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAA22DE7A2E0E52715C17C153EEC4C3,SHA256=CFF1DF7939DF4D1799E3AB5A7202AA8D4C6BA20A49EAE82BA07CDD04C2542EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:15.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3B2237F5B4240FB12F2256B68A06AE,SHA256=21E86FACB2E78CFCC8476F7B47C612707C94542B3CBA0761117450D5D4818EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:15.361{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A045F313C2CF538A5DFB0B59C945BFB,SHA256=AF023A43F33A2967D57C93D9847EE056C671FCD1C66953157FBCA187629D425B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:12.055{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52309-false10.0.1.12-8000- 23542300x800000000000000047137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:16.997{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DE71FCD05893B50D4D068CEC6699B,SHA256=42370CAE2030AE2C24C8A2D9AD6F677FF711B944C84AF3F06D1E3F2E63CC8C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:16.423{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6406D31E75D13478DB8A89D476060DC5,SHA256=02D5813814BCF09CB3CF255D7EB092975262E204033B6F18725A3022560D6A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:16.195{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-111MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:17.486{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F7B9045C0715053CB7C2B65CE0EFFE,SHA256=3E22CBF3B587CB59C27A7D989C51C74DF7F4A994DC2E90E6F14ECA69AE1C2873,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:17.829{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798c9-0xf3e2d8a0) 23542300x800000000000000047138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:17.215{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:18.720{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0A89CAFA1FF14E8813E09E6AB645F5,SHA256=90496944F4DAA448E98C6B7759EB502D5758E0FB9DB3FBCCB6820778F5D206A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:18.013{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AEBE5FAD4E7E72167FD7E666772E30,SHA256=FA8A22DF9FBD6A3381C78455BF66B55BF4DA71997024E88EEB4B980CCCEFDDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:19.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2350BE349A3080F527C941A9BB17D53,SHA256=6FABB74EEA06267602AE82CB81D44A1AF9771B8BC2E1F0D70011CBBE28F9C1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:19.044{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FFFB074861117C9FAA4FD7024242C4,SHA256=CE3E998070E6A5AF4BBC13703B7D4AADA9DBE5F370E4FBA3E7107166A3E6F901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:20.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6099EEF5C4DB25809670EB947E2D26FE,SHA256=D514A801598488D23F463CCAA6B028E4A9D7B0CEACA8AAC7E5FDB29A40E3A949,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:17.756{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000047143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:17.068{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52310-false10.0.1.12-8000- 23542300x800000000000000047142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:20.059{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8299BABCA59F5FCD3C55E6C7738BA38A,SHA256=CC2D1F736D10B789BE575BD88516DD13FC457B3DD6360F9F63320704DED901D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:21.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D0E18D73124D1C4272CA464F22B4A6,SHA256=39103404D859E2DC482D953013BC9B151F7C023F76A6067125DFE753798CC3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:21.074{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F61A4C850C0B81DC97309AA334AB6DD,SHA256=FB1CBFB4E08FB42000337271AFE2BEEA5EDBC2E2529E3F37AD80BD4318D41342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:22.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0441FAD111B789436AA809D1C3070003,SHA256=426B401D1E069714E5B52F00A60CC3E4320F861EC6F94DF3D34E303CC91464B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:22.092{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00446CCF8B3AD944B8F6C3DC9C291CEF,SHA256=B28E0E3172BBE598CD1C8B63B1DF8067D4F33422F18A7CC18BCF6C777C0C8913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026503Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:23.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF23CE33C353DD6284388D5185405273,SHA256=AF59DA7E5425D5CC4F0A725975DB1B7DD7200CCD72685A1D8C2342786A9887C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:23.109{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6963D58D4C57FBD0179871894DC1ED8A,SHA256=D8A306D07D88217652BF12DF20D0292892413E01471B5DE47B2AD3DC0E246D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026504Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:24.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08279E0089B22981B6BDCB5E5DA504A,SHA256=878D75E3B9B2C930A40C605AC63061D139DDFCFF266D838FEE2E1DCBEFA32C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:24.140{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882D6A6CD91E540637219B8C0B3FC132,SHA256=51A2A545A9D9C8AFB4048BF2C0439F9E5D7B403FDF3173FE4A5E844B876702D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026506Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:25.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B5181257819E5DE979C7EF09ED19F9,SHA256=A110A6800DD68204F8CA938F2850CA818EAC75E08FF031995CAE241AE1B70817,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026505Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:22.865{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.639{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:22.079{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52311-false10.0.1.12-8000- 23542300x800000000000000047148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.154{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F3A96A85DC0060557E5F467A97DEE0,SHA256=6903E62BDAAD0EE7273EB09DF3940F9BE8BCADB5F07134856D8BF38FCD337B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026507Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:26.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A249ABF66312B7A595750AB7536211,SHA256=435AF7CEA6B0AAD52B798AAFAB72AB5B85E9EE8B8F3FA750D0F6CE2038974D90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.653{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=911B06E8D8B0EE1F987AE19AFD01D403,SHA256=7CFFE38109926B695A7955F9DB99C317D469D91CDAD815546D4A3F5B2B04726D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.653{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46868AC0F0138BD18285FB54894A5BF8,SHA256=8CE4E075974240DEC582617E7595427591D2C16AC23784A27B037CB452942B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.191{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042F20549A6CDB95624D6E0073B1754C,SHA256=3A4C2AC21C84ACF14BDF3F7F25FEEB44F6E390D6D1CF61DC0445CE099DEDEBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.139{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026508Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:27.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D69133278F804C87D9280FCFFE1A9C,SHA256=0D0CE85F549C32942DF4B0DB447EF9CEB96C9DF1B4C76071F955F5EB93B3FF5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.853{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=911B06E8D8B0EE1F987AE19AFD01D403,SHA256=7CFFE38109926B695A7955F9DB99C317D469D91CDAD815546D4A3F5B2B04726D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.222{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61A40A8274483F3D42954DB97E76DDD,SHA256=D68724CA435B319D9D056C2F4B07FA233F0404177A9302C60BD3F3C10331C60D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.006{80A11F3A-BB06-6124-4109-00000000F001}51725664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:28.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08391D2E2B83C90A63B1A0A40C5A1796,SHA256=90389A2F0F8EAAA1ECB79E72918EF7FF6E2E83F4B07963D02203F862192377F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.921{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B563DE8AD1E23F46EECAC3942CA6593B,SHA256=1C98890D82FEAE366364C0776DDA139632A69D1886D0DF399A8353D3A617BED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.689{80A11F3A-BB08-6124-4309-00000000F001}61165752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.506{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.236{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC020820C11D5C162C2BB65D5FC64471,SHA256=67BAEE51A283140B9E11FF178A570CFDB35A54DD10FF00A077E20EB1D03BA932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.068{80A11F3A-BB07-6124-4209-00000000F001}57162140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:29.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CDB98D410F455074B9A9F44EC55044,SHA256=1421219CB8A39555A7E06F76B83607F365B7AB56D9E156384E64C4B89514B72E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.787{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.305{80A11F3A-BB09-6124-4409-00000000F001}57406372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.252{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2AB3956BC27CDE776F7E552960FED,SHA256=F94EFF225FA5B76E0A295655356090485253F6C1FE44040B346812D98F8DF523,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.121{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:30.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D26E67F3CD02349FEF7CCB4E84E5FF,SHA256=56FEBC6344B27C264268B596E8EE88D630847C8DE114696BE14EA2A2976E3EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:30.252{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C8464A20784F535D8B5B6D12A142F,SHA256=8FB12322212088526DA9B208E26CBAB27402E5C38D6844E2998874A90E22D2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:30.136{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DBE4A46AD2833DEE71418531CEBBFDE,SHA256=CF03462879599B62C2EEB8A27414F9BE7108DAE4BFF217DC1788C56ADFE72B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:31.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF1EE401FEED8F29DC8C7311BE68913,SHA256=0FD3E0F52FBEFE41728BEFA3E780D0C478633476F7E7508BE98195EDC271C298,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.007{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52312-false10.0.1.12-8000- 23542300x800000000000000047220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:31.267{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC23EEBF315B212CEE360ED61ABD4344,SHA256=EBAA97F654DFAA75E4912ED73A9CD26BA063D247B4A164C2998177E14A36BD17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:28.662{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.889{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7590515640DDBD41CED363056C8ED9,SHA256=C594675B1D46891C0A6527D3B0389492447F7DCD7E969EBA47AE1191DCFA525E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:32.284{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4597A34417E906D081C99B25C3958AD,SHA256=125ED91E488761B0C030334741E7B3B81972D17D4801059E9776C5075CEFA22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.811{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.411{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-104MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:33.903{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BF72258151950F3397135D4D6C2883,SHA256=F14FC01D94E920BF4D1964C6183C2AE4309F9A87CC0A896EA59E188C2A2F0DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:33.421{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:33.318{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4D968D02E3BE88D73AA61F351944F2,SHA256=005041615EB99FB571E096CA059DE319C25B253426CA693C4FF1D496734219EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.409{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000047224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:34.348{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09FB0FBB9905188A729F18511D90443,SHA256=7CE71079BE6881BBAEE58B63F3E09AA71E026D0CFA033CE250E01151FDED4C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:35.124{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9E722795DAD0912F31E13807035DAA,SHA256=BB26DDFF87191FCD57AD24892210F2D089571C82341A8CDE636E79FF870D6668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:35.348{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C28F2858DB7E274157CEAC992FD2525,SHA256=EA6D866E46FEAE23785A4F91821565C71ED92DA9A8BF8EABD9A88A13E15B024D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:36.343{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0327BA68FFE80C3EFB53F457EF6212AF,SHA256=BFE7833D677110666A89C4EA71D526363B9BACF1E6F72344010358B616C16CD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC20474F626503FD83ABCDB190935D07,SHA256=036F53E59B774CF4C069E145F8F37F91E61C5CF8539DEB96C1BB89D528F00D25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:33.800{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:37.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42A15994AC6FCE7C02AE291557FA4F4,SHA256=CC2C05895307C7DD7108E7FDFFE5BFBA09AA54A9E062567EFCC357031440EF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:34.025{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52313-false10.0.1.12-8000- 23542300x800000000000000047269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:37.799{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C868B7B831A29163AD0578043D765C,SHA256=E4DE2765857D8AC297935C3A7BC4F3A283C1AEBA15FE7FEEBA96FBB9527FBF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:38.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8075AD3DA9DA2A81750122684F821971,SHA256=0F83C75A62DACB2A3FE3266D85A08A969156D3CCB945A10EF9026CA54BD47AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:38.814{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB44AAC57170C98B1E439547E27394F,SHA256=86DFB215F24F9C7336215A1FC82FAA6BA79FFD3703421D486F4A40B5EB259295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:38.714{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96998F7FBFF6518501D07EC0CA73CAC,SHA256=383EAA224D564ADFD8435EBC2121C822628C77AB57B093E3944155FAEFB61640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:38.714{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D211690C1AEB37D76F0D11284546E6F,SHA256=FEA7526CBBC42D1386E38E75C1BBD9A7D126F2367898FD75119065E6725D1B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:39.452{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F77133EEAECC0962AD809E14047532,SHA256=E5E17AFA87C45CC841C350518934D1AF8E0039807D80B5464CC10E15051F511F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:35.624{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52314-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:35.624{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52314-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.829{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFF27CDAA325142D279D182DE76CA29,SHA256=6FD7B047C457F51CA6BAA676A13D96A9C755E720BF4E1BE49AEFCF088419AB6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.030{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.030{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.030{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:40.687{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEE2FACF513FD39F9B7677A5FA8A0DB,SHA256=7B5BFFB9665C2B29ABC7CEA20EF5D2A6B3AA90B8FD23CD3D4DE5BD4DE7E02DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:40.844{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB36008D4CEC3B9616A64D850390291,SHA256=06C8357A1F55BD853AA0A95A45774BC033AFA37DDBFAFCF605896263C13123FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:41.905{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98105C3026457C381609F1765BDA7A7,SHA256=B4889E9450576999DF260802F39EA76913138AC275739313BABF3F1096C2FDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.858{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1683D206BB6BB2ABF2CEC16FAEFB42BD,SHA256=4CA27D220F17808FF81BAC4B27C12D5C366EEACD9274A7D203AF6C1D453DE129,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:38.863{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.228{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.228{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.228{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF69e4e3.TMPMD5=DE2C2DC7AC7CA60981DEDF95D7D42EF8,SHA256=FCA4BAB71BCBD425757363A708F77D849276031ABC30B3CE7F82EDD60A2457E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.212{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\aborted-session-pingMD5=4BB6A21FB3DD5F49AB4D84E24636C29F,SHA256=AA24F46326F09308C1A5740997C2CDDF07034F64C092CD9C7342FAA551E6286F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:42.921{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF4E42E60E9CF1FA469454C6C434165,SHA256=01D20A492D0CC52D4DDC6A971F57C0C1E3D6C51EF4D457BD3B0C2C2A57F3D4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:42.875{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D85E008F81117369CB404C8A20772F6,SHA256=6135ED14AF321327D3D6311F6DD711A9E8539260318F1D80BAC41AD7264B71D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:43.894{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31ED0275B47F5B1F7D561E898F75093,SHA256=6D5AB47AEC640D7812BBFC0C8B5177ED2868AE7B2AF8C9EF1B56A7E16A8B9E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:44.924{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40554177F7AFDD77035D4FDD707BE232,SHA256=9E8DD81CD7603449AAAEC454757806616EF13715494E0F6A103C4C44A8BD42C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:44.140{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C2C194086AA815859AE468D2971665,SHA256=5799C5E41AB8CD86AE0C9407A3C5ED083F9A65BD73453187A413C74110B67B29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:40.020{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52315-false10.0.1.12-8000- 23542300x800000000000000047290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:45.955{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB166B521E97F7C38F923DB406BDA4A,SHA256=2D137B6F441B07DD0049364DE9B056148167E4B1A76949A07828912E01B4509D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:45.374{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0222B4E782A1471FB21AE3083CB2BE,SHA256=585434AFB09919DFE473C48EC97169B84E75773F64FF9E9C8A469F4965C22FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:46.972{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2E7FA068FEECB43B9EB1AFCF3B4AB4,SHA256=E812FC9A77AC73465EBBF1905A7350CCFF1707A7234B15D34ACC27BF2F904B23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:44.754{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:46.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BEFABC692B231BBFE57D970ACE3412,SHA256=B155C462809D24E471E11AE45471E2093BB47CF7C5FAC0ABF4E960724966591F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:47.991{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC28CEA146B7ECB1C80EF2D330DCACB,SHA256=21F3280E8E656B6BA48C23DE262AB02ECE4F5F81666F803346E16DB6168395DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:47.655{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C013C2611F0F8A209C8AD240D0E183,SHA256=FEA7139B520001E01E2C1564D9CD11273839361436E98963EFE1317F6D697FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:48.733{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F38AE5EA7C4B1AFC60C659917015F1F,SHA256=146181C1D38279DED18FF59BF0F76C986899E292AB488E34851D38F2C3433B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:48.992{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8422B9FA7322F56835BC6DC692977E10,SHA256=BBC0EACCDC69E55F54D172A65E1B1547244FC78085477EBDC2DDF021F6D688AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:49.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D89F6F43129F249CC89AEB21A4A9653,SHA256=8573AEF5B03BC416F9CC84E0A77F13EAB5416CD939A72C5F25AE3F87D71B1A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:45.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52316-false10.0.1.12-8000- 23542300x800000000000000026538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:50.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9711792341365ABBBB7F58F6634013D,SHA256=89820372BB3FF2FCE1099F7B1782C49C35753461664429498E6697A8C1A8A8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:50.817{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6804963D2B99A83877D2BB7A7D84D77E,SHA256=0F662BAF83BC5F4E321A633DCF603201B5E6FEB8CEF7C9C18ACD74986FC05505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:50.015{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E984350E268FC85E877405CF722DFB8C,SHA256=A736B5D6380A804DE6309BC96FDB30D9320C34A98AC09646C05A0DEB743EC77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:51.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6EDB12049106AC45F2B99392B4121B,SHA256=D4EB34D37ADBDA8AB84A621A5A3B5118F930F4B0E4E9DA088D1F252DD912D1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.222{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6722A4E765A1E0E3B26E4095094B665C,SHA256=D7E961180E6CF798B60E67CA9988BA896D50E4A11B564E4A7D5F1781FEDE1773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.222{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=FFC2C1BEFBD71921C55F8DB7A047FBB7,SHA256=3D5333D6B4829A7FD04747A185D8FA270FD5F3A19CED5B4A0CE5A77D06DEF573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.222{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=EBD23F78DC32BB7583F1C2A96B13A71E,SHA256=D4C148C966BE3B2214328B1A1248AB8B4DFC6FB84E37785EDEDCF5A8D8B22A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.153{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.022{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619BBF67E183CDE4CA5812C3009CC514,SHA256=B1BAE4A0E3B4ABCCFD91667A324C76BD2EDF7F8340C85788E54C310732256E51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:49.853{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:52.052{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4FB43EA578CA4C32DB33AF72C5D845,SHA256=F98433DED525FC2DB053C1759BDDE1D5D676752D6F2BC27E32EA182FC02BBB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:53.161{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA14500BEAA0BC127682929C23727C9C,SHA256=B1A2977B76C1CD27C7BC8DAE77F4785BC8619DECFA2D6B62A9CE9780256D6DA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:53.835{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000047305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:53.835{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x800000000000000047304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:53.835{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 354300x800000000000000047303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:49.062{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52317-false10.0.1.12-8089- 23542300x800000000000000047302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:53.069{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFD732C5F401A5C6BCC6FB39D90605D,SHA256=EF5B0882C5EEAA55093F52172BFFBCE94176C566FB63AD01D0FD022BC239184E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:54.395{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7C927A108454DEDA313564B28FB75D,SHA256=D2A5B96FD4933D5E11728D66BA0042A7E9E9146C4DCFDEE63C72C5B3147FCB72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.764{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52320-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.764{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52320-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.746{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52319-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000047311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.746{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52319-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x800000000000000047310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:54.871{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E456495E9B5A8E93F01927E4CC7CF029,SHA256=3747C76A697FC686504CE72DA832D8DA992E58649946CDAA6C948573EE298C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:54.870{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96998F7FBFF6518501D07EC0CA73CAC,SHA256=383EAA224D564ADFD8435EBC2121C822628C77AB57B093E3944155FAEFB61640,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.045{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52318-false10.0.1.12-8000- 23542300x800000000000000047307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:54.072{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3CC9653EC04CBA11FF51D87B345C52,SHA256=BCF12922F556160A5BE1728AD8E8079FD91FF9C28A6EC6565BCBB377796A0C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:55.630{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BD72AA5343B34D251BB6CA74BE790C,SHA256=FC402CF9872D673D1877261D93DF758F7367016ABAAF5B10CEFA390D74C0A8B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.773{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52321-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.773{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52321-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000047315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:55.086{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346A61DDA483C81EF5FEEA9871145E5D,SHA256=4F721E5375268A93E8D5A4EEF5CE2941777DC05EDF669FE136C75C7A4F0EBD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:56.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9146C27B97B807463EA4B74666ED1589,SHA256=DE700AE104E7D263041D7C7D6FC666E7F919EE12A37737851B2364B76DEAAD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:56.101{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F6160F1DBB216722D703CF615951B7,SHA256=7B0D8A1E9B062748FDC7B7D7C76F104790F4FE7BD4919C6B9530C91E2E4702AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:57.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A68BD0D88707C4EB1EDC7B90412AEB,SHA256=BAC2CE1AA68AB13591331058C07CDB56E686FA12DE7A4903E01DF62773A742CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:57.116{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6901A3975CB731FD5792E2967C4A36DC,SHA256=E2A04964E86071C0C7FB06809EA288EEB9C2448BB8A3F461D0882354746E8F46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:55.853{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:58.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD84623CBC079E570D36628DBDAC7AA1,SHA256=150B6AB4B4D8508789AD3D4731E1BE25CCFECCCB96DC52A348ACA132E119F867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:58.116{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BC405BCDED33D1C5A62351940E4C35,SHA256=52708C342F5EC7757B9F4FB1AFC4EF2A0D345C0FCC8A3F9186B26458C5376EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:59.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80727117FDBE929EB83BFAFC1DE48890,SHA256=01BC2F6BF2750FE12CAE2A2236A69FC5625AAD024D87656A929028C6FF0D62BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:59.146{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585A6B775D2BF7FCB5ED15B8350FED33,SHA256=355442CF22E4C911B2CE2F1C2C0FAA0F7B3E1BEFAD829E8AC887CAD3935B55CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:00.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4113052445D41D98C52608245DA78693,SHA256=364AABF3CEFC679E29C3E893BD0EB6FD604F40DE0659EE5F9A00F75027552247,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:56.091{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52322-false10.0.1.12-8000- 23542300x800000000000000047322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:00.182{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A187039E6F35E07E5D1EBB07B23D2462,SHA256=D1689552B191C8784F2B18929A0F062AE7536904097E3382C036A3BCB44F7AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:01.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2F395EE8533662D7486E462E8A6F7,SHA256=65C742CEAA1A45376D0927EB81ED5E40824DD87EA033EFB155AF8D05F12C1431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:01.197{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63812834359B63A0DA04B2C582EBB3A4,SHA256=B45831208C28C56B23DB28120B920B98BBA773368062FDF84F37895E31DC7A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:02.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C87214B693E41FEAC67507BC123245,SHA256=CB5311F29C28AF8CD16A6B1899D27D8A1C1B1553F23315F2C198BF8C3794FEEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.612{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.612{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.228{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D852EFF933106BF8437F6F076B30450,SHA256=976EBE17240271E1536415AE66A1B986F817081396B1D7D5BE536E60D4F56702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:03.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6696A1EDEBC31F57A10D81A8E0D38E,SHA256=096C8F82B7CB3E02B953B1644FDFC9D2D6B3D8A1B0D85AC18E165F20E6900734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:03.243{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694892AEC15763303C5FEC535F6499AE,SHA256=A875E2A18D1F51AA7C4C2C628FFAFCA6FCD5EDDE95D23D15FCABAEF1AEF9E00B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:01.744{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:04.942{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F4F93981B29C92CFEF155689044582,SHA256=4DCE0632C2F0DCB42DF2A4AF45F50024615B36CAF6C0368B2256720997580E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:04.260{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7AADA8296F6B0F6E0125A78ABB8179,SHA256=E94B89859CE17279A13093125C650964652FF79A46A326A928724D66CDD7046F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.084{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52323-false10.0.1.12-8000- 23542300x800000000000000047330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:05.263{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD23A29D7DDCD217E43193BD487E9B4,SHA256=E5EBDA5CD007C7BA9D1E5AF3FA89F358E1C3DC46291A44D7D96001780F5683CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:06.161{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4971D82C4BA92FEF800EF0BBEEABD069,SHA256=0A4FA755D2FDEC6EB31A58C316B7CEDDF329CD88820A7C1939630C485921A762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:06.279{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C72F152FF607C90713BECC509B7705,SHA256=17BD4472D27A6774F96EC0DF59A06420A7FBDF24F4CAEBE49224E74D8376A686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.192{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6DF81AF420E1A3208027125AC78EA4,SHA256=4DA6E999C8C226AACED118F231BF45683F95FE8E0009F90959D68D00366FBD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:07.294{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855724625100E390E0FE410B1DC9EC1A,SHA256=6E66D2033AB328B5B29F70D61BFA2AD957CA722F8EAC7FD76BC772316195F89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.942{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3030AC3B9DF4E0BDCDB820F21A3013C3,SHA256=EEFC2B479051E47A46C765CACA55501FAABDF2756B7B93AE4DCAC2E512B06F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.942{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C478229EA40ABC59563E8CDA6FC1E790,SHA256=986E9F7D7D3A5B4F9C8187B9D435A7B11D0DA249EF3E269AC2FBBA60AE5193AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:06.791{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0560998B9603015DF685FAAFE9452B10,SHA256=E3AE78A2667DD4158BDB3989111756FC60AE8F9DD546F717412579B1E7A1CCFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:08.340{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB4EA35A1458D17A6A0D61C6B9264E50,SHA256=37DB67B902CB50474C3806905990F96BEB942D5686C13BB9744D0735912C5555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:08.309{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC3E30F08724BA9B5761FBEF8E22285,SHA256=9BCCE9AA7008E9768DB4B8F778C4E66D6733D550FC30245EBCB1C2B135EE04FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.381{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F5961AC23310D82F1A39422EAE6E2,SHA256=966DB427BC025C16E59FA79D43B2C2613C57E6055110BEDD449CE7923B058E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:09.339{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E08FA13FEC809B760842A114C46F91C,SHA256=284684540E52C9733A5B2CB901A3C7EBDD27061F076F96CB6C6594F74477E0E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.239{D371C250-BB31-6124-B106-00000000F101}27962500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.833{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511085FF15E32F0CB1DBCB52995DC7AB,SHA256=6A2BA2EC9A0E6DA7C6B12FA20553D6BAB42FA7D88314B5CFFD9AE7382E5DA0E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:07.103{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52324-false10.0.1.12-8000- 23542300x800000000000000047337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:10.360{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F413E2348BCC6DFAAE16979402FE82BD,SHA256=2BEA95DE207BD88482A6CAAE0379790FED484D19665A08006DC9B7D245280920,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.177{D371C250-BB32-6124-B206-00000000F101}496536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.052{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3030AC3B9DF4E0BDCDB820F21A3013C3,SHA256=EEFC2B479051E47A46C765CACA55501FAABDF2756B7B93AE4DCAC2E512B06F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.037{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.989{D371C250-BB33-6124-B406-00000000F101}19003556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.958{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7B90C5F776B5551661F54762D85F38,SHA256=427D1DAD2D563350F7548198DA8BE8F40DE83C6D9AAF345A80E780AFDCC217BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:11.375{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EE1B8196F5DDC3F437381AD95C32C6,SHA256=9BDE904756013D764DA77FBFF3E088FA042B4C07A4E7E7A5E0073C5DCE750517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.834{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.364{D371C250-BB33-6124-B306-00000000F101}18121644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.162{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026661Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F1F1225A4AF0752121131BD203E5AB,SHA256=1CACA27B334ED7C2642D537AE5D49D9C8D0F6363B4B1727585C4CC0155F4BF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:12.390{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A0A02C27963D70E76C45525ACC87CE,SHA256=7965CF84BE50D40D97A4A7BDE8527004011A36E7EE6CEF0C3C2CB8935A4C5872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.506{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70CC3685FADA46326D48374DB33596E6,SHA256=0888A9D495368E84716C3AC5D53032FE5271F4E2E9DAEF4FB5BB547BC19E585F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:13.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0995A3DFD51618F1F5CC534349EF42,SHA256=77220EDF574B6EF64BEF78B4C7049F4884056F807500F0EECC7A0E23BC236439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:13.405{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6446B989A46BF714CCAB05A805F7200A,SHA256=BB054B7508AFED0325676F0EA73AC0908211CC71A7B92C439AD1469F1D3B438A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:13.505{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A81E6391FCF68E1A1DBB38F8A39F1B,SHA256=E36308A5E83315B63E23A1138444DCBA46D8EA2921F8D259BF1D96B80AA8DCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:14.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514F8C5B94CDA091ED98DA271DA50584,SHA256=0167BEA61CEF35BED5909F6AA1BCD5795E3D42C75A72632A52B336C42263E6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:14.405{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F763922850346C24E8F16FE7231613B5,SHA256=7DF7AD8E3AC03AA3E917D9D592F64F93E559E901196206A8FBBDBBD9872C9424,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.838{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.988{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.988{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.988{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.420{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6996A2B00451F909EDA2CF4E802D4314,SHA256=D5E14BC116B2F84DA0EC8233769987B8E54A6467DA864D807E8D39426C8EA21C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:13.077{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52325-false10.0.1.12-8000- 23542300x800000000000000047351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:16.434{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71561F51D46063650DC8A12678083E32,SHA256=BF6A3ED85FE02CC9E3CAAA9F77B5A2892742767665DBFE7F61EA20E10D47D517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:16.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7443C1AA9AE1C26CFBCC126F18D51066,SHA256=D7B70EEF3FD2B4B9E0A3C79C865C0FD6D499385F2AF41ACB0AC17268D289D413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:17.735{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-112MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:17.452{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09BBC4203156CF300E6B84D8FC47425,SHA256=D2D65044F3A3620E78456C5DEF14CDFA5AEE664565890769EA479469ACA4E34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:17.442{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDE2D182F4DA9D5ACD524475DE7494D,SHA256=B2B37F692C77766AF7831AB1953109D3A3DC658325193C6B6384D51C05531A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:18.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC337B074A1C73E1ACD4941170FF4E2F,SHA256=188B6072184C54C638EA561C1056DA655119C71EEED0FF085F5842F7C5E01276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:18.750{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:18.487{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D58E00991DC390AFF28A46835B5A450,SHA256=249B207DF2960B04B2EF97222A4AB42AE8A1D7392512759AF75915A12BD2B2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:19.817{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A8C73C72459F6A1462597C99F042D6,SHA256=5A7B1B13A3D6FFB39B1D6B1B20F3D1B666A21C73E3BC6965C3E92D1EE92DA157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:19.502{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593CF5478537D87CDF4E1D84E95C886F,SHA256=4798F917E0450A2F7F053B7FE571E82F4056D892AAC18EC37120C1DF642E5958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:20.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292CF411A094837AE1B6748691899E05,SHA256=A75650915701D954A2D38FD50EB916C1DED0C4DC29C22FF80C70A6198524C360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:20.532{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2DB6AFA4A6202A9DAC7C1D5E9F23CA,SHA256=6271E99F9A9CC9E79EA0F39DBCC054344BAD47A9B773F1FF8E659D19A4A16B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:17.667{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:21.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E4E88B9A100F2463C3954AE1CDEB0E,SHA256=A7C9F556EFCEB9E66D19880AE8662C3DE4D1024EC8F469546A03BBCA371160C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:21.549{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0D3AFB0ECBF065186094F0E3FEB97C,SHA256=E47B69361E6BF321D4A0C5097FC5203BB2C590C6AF94CA0B5CFB9B62BE016F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:22.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9D0234A0CEBC99FC458237D2756EDC,SHA256=7EE02D84097B4FD24F40099AF79716F5489DD715B6120238C701F4580DADAB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:22.568{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722312E7A138A34C3C7232925BEAD511,SHA256=85533FCED60C6B11E5C86FC555A308CD691F730D565610B398BA5B596C79F4C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:19.011{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52326-false10.0.1.12-8000- 23542300x800000000000000047361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:23.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C98A14EB75C062261F1A85D7BB7E4BC,SHA256=BC33DBF9E966528400EF491DA637EFBD22049B83BB0893C0FCCDF3EE07D9CC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1D908C073C6FC0480C9B5F8331516,SHA256=B44FDF20969320FCDC6D812396BE7BC5A004C650F208EDC1EDEF36FFF8FF51C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:22.698{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:24.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBE0E046EFDD701CAA9F4340707627C,SHA256=1A9CA3B18F6BBF801FDAF4EEF77F2076D44DC18EED6484F9A7852ADFFF5CDA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=2665DC16D13D6EAE61166A15CC204C79,SHA256=D73A67E160C3B0A90C78A7B1F38349D7D7F4C6A0B23B7C8FF41423678F12B691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1D7177C04EABC554F4A0BAAED878602F,SHA256=03D2A8AEC8C31B66013B2D2C0D8A261D39D60B7C72E8DF2CD97CF647C63E71C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=9389C4AC6F8C57B449BF3179FB7668DE,SHA256=E6B0665E1F9C700CD1433C25E4C8F2ECE2BC774BBF8BC5342B8F724E6AECB3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=7E633AD569612A4C5EEBD3175D8068F6,SHA256=82B5B7ED524BCBEC42562A3D7B1E2648CFAAFB3E1CF594E354F3C83CEB302823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D26EFFBE6E2AA770C1F9C62814E0D9D3,SHA256=DB9E9CC7D1A58EFC19FBCDBA6A0E4A9D9A30A3DD7FE3ED62D49E192A8B5F87FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D6B8C6629822E9A70FBCF5D738206EFB,SHA256=2ED4310DFE056880ACEAD2B25D837F5CE7ACBAB327B5CEFF22D3EFFC7856EF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6B71FA2B339CE337094BDC684A99609B,SHA256=47FB8E4C03AC763461988F7E58E8C10026E1C6E4AB0FC6AD562539941C4E453F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=56354E9FAA617B8CCB9B91C8F4409A51,SHA256=EC6678043B82FD745A993F267BBBAC69085C86E3233EB786DAA94DB522548F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.667{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.597{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1642B3F3BD77A64A8B18DBDF23D9F8,SHA256=A24059763CCC722A4F5B78EAEB8D49BCDA787C30F26A538336A5104D0AFEAE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:25.427{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C2D81F5C7D938ADA4EADAC962EBC5F,SHA256=F7AB8B6A4BF3A5C7E2B5B8DAA46D488088A9193A8B06B63925BBCBB5D7087B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:26.661{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EACBA36CF22E5B28AA0AC5093DD618,SHA256=91DE376DD983DE213C0ECBA0943F9CB32F97DB8C7AAB881589F4AFC04F5E9781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.915{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.666{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FE7A79E960142A7437BA7A7AF55392E,SHA256=957CFE084E5FFD89CAEF3A1D47A1F3373C15E4101B353FBD4D6D846976B358C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.666{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E456495E9B5A8E93F01927E4CC7CF029,SHA256=3747C76A697FC686504CE72DA832D8DA992E58649946CDAA6C948573EE298C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.613{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8ED5759045B4E11E30C2948D697ABE,SHA256=5FA21EB23732B753CF41F26298651365118A24C67132B443730D350112945B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.329{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:27.895{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DD5119067F86B6EE6886E8B15CB7A2,SHA256=7AFFDB6FAB4117FCE961E42D708B3159697FE181B7E167F69AEB8DC399B62EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.949{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FE7A79E960142A7437BA7A7AF55392E,SHA256=957CFE084E5FFD89CAEF3A1D47A1F3373C15E4101B353FBD4D6D846976B358C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.928{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.628{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5304401A211DFF972BC1B97CE9A8FEB,SHA256=F349D16EB3F550A60876BE38487041EF6F7B47762A75EBFF2C29B6BCD38B32FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.097{80A11F3A-BB42-6124-4809-00000000F001}6924656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:28.989{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D615128C0F7B67A5BD9C3AE4DF477B5,SHA256=A2E55A9C141FDA7BEF1D4036BFF490EF1DABF8865624AFC95DCAE7BF21F2243B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.992{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52327-false10.0.1.12-8000- 10341000x800000000000000047421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.796{80A11F3A-BB44-6124-4A09-00000000F001}63726248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.649{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1600D3CF89B2A2EC3B033493872662F4,SHA256=BF732F65E9AC6C820A85C77258D49269A359BA7232F45B0D412ECFDD8DF61580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.112{80A11F3A-BB43-6124-4909-00000000F001}49566116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:29.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A32BC66B93A46A42A621023C988041A,SHA256=B0F68CE13E95CBC5D11D77ACE9C0EFA40FF2092672ED1927A0D55CD4648A5009,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.797{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.664{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DB78917DB992B826B5B3B156073AE4,SHA256=460CA417D7462900862F7C94364A2EBEED38788CA316EF5CAFB6FA61F1AD9254,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:27.714{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.626{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE7CD61CC8F6EF0EC9C1C92038774B03,SHA256=AA8CD3518016F1B24735C7623AFFA7C6DFD4F4BAA7B71E6EB63B221BD914087E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.479{80A11F3A-BB45-6124-4B09-00000000F001}57205428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.296{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:30.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11B45E1CA213A3C6189C1F19A23F819,SHA256=7CB7E4B8A97E8CFADAF33E345424914BDD91B8DBE54A6645FDB06D639FD184D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:30.810{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2DA89F83C786AB91643B29B0EBD530C,SHA256=511A285D6FC4806B83EDBC4B35306DF86322CB85A693C8C5BD078082A978B178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:30.678{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC3377381F097DB1EF19870C1914883,SHA256=87281788172827CD68B3BCFED20994F9B1FE96C766332CC732938F6049E912E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:31.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8524CE77FBDD243D001F898CB4D46F,SHA256=BB3762398B260C1D97879E6C20A3E1FA8E42A629463FCDDA7C3B77AC4B8F8F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:31.709{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E04D4DD0154842F8CC034087A4511C2,SHA256=CD90C73D8B23E4F40903E8B33B6B0D1C29A79A7CB58B88BAF904D86724B0BF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:32.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247AD13E80C94487DF9E065DD9C53585,SHA256=E1B8DE8EA852EE878749D8CC39041C5BC621D2D6020E8057BF4B5B4679B2165C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:32.742{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AA7522DD99E7D9D79D577457D01269,SHA256=D3FC539262A5B6EB8641B14C72E374BF9A2F8B2E573E05AFA034FA8FB22D9D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:32.835{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:33.994{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AB0D6A52AD081000B1AF337C93E0EA,SHA256=65DDE061328EE66D364EC09CA133FA41BF3C4D17253AD503BC50E0E6C3040F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:33.760{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3503006407DC027EFD24C68BD87F9995,SHA256=2C51DC7A896F0C45FD90CAAE6501F148A128B16576116FCE06CB84C705D85E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:33.949{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-105MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:34.775{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3493B699C772C863C65FD1A431E9D4,SHA256=3E38925B508F7ADB1DC6AABA7CF0D4141D65737AB72B14A9962F59E034C2E278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:34.959{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:32.435{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000047449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:35.806{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9829990B126E2B1DF4AB3C3901E4C468,SHA256=E94B3323EF69935951675BB03AFB6A5E1ED44E14E5111A2884CA6809E993D8E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:33.729{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:35.004{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD304A45B5677AEF810715F1D27FA66,SHA256=4B6990A88DDB0F5AE7D96393B5BDA7E8E36765D13ECA11744179D85610B04746,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:31.003{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52328-false10.0.1.12-8000- 23542300x800000000000000047450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:36.821{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8267888C4DA8F42A338D1F2CDF98E970,SHA256=2F7AA1B09FCAFFC03A64CD5D3635DE1A0ACF70C424AA0F677497DFBC42F3704D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:36.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB0F6D463872290505ADE8D8F7D0C7E,SHA256=788EBC662BF840F2AAF66EC3DE0046426A893EC60B1F5DDFE4A19AE2E75C070C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:37.838{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9C0DC99D3AC3B30B3535474DA8B12B,SHA256=5408150E6AFB974E2829F8FE2219724FB76129086684AD078D9DE08698AC34A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:37.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68040A3B1E01E48D73A2558752AA7D22,SHA256=7A0DEFC525586975C9ED9A8CFF7422A8BD774278008D12C99B39337B5DCDD73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:38.873{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF194368FC68BD1C9F01F50F2EA72A5,SHA256=B6F61744B806F0C29B7E6A49DD92508BDF2984037903485BC76D4F2E4308FC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:38.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC47D8D225BD66B7E22664B870FD899A,SHA256=F6B91E4907106EBFE5641AF294F9097CA6D64DAD09B740B546FBDB2EDD347A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:38.740{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E8BCEFB907C2505CAED669B89941EF,SHA256=69693231715CB58F3F11CF770782E30BC2C69BCBB15453EF97EB0DD7983A907E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:38.739{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFF01EE4491B6818C3E45701633B6974,SHA256=C59A542889CDF3DE5DF0919982081796CF068C15056FE767035AA61209A9CA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:39.888{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC683ECA26F1CFD233F45D05C73D827,SHA256=C2F69F7553A96CAC0835606FA43B9A676639865B6B43D5917A972E0BD3A93AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:39.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB73B052BE3CBD0E92EFCA4F19E3B31,SHA256=A818D40B609CE0143C2B802D7B07C60CAD840BC31223C85451DEA06A1A321A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:35.632{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52329-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:35.632{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52329-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:40.904{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BDFE01017AC187378A985648BAF77C,SHA256=1700A2B682B157BB18587C57CE92663C79538E2143DC4C6D3F6DF79A161F0599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:40.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924146C7CE4D964D34B63B35772A9747,SHA256=CFAE4CEE5751585B66D03D1FA5F2241049F0499083FE09444A7296477CB1253F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:36.102{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52330-false10.0.1.12-8000- 23542300x800000000000000047460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:41.905{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3CE63577A64E363C626973E6139A13,SHA256=1BA1976DACB52E1C50588066D432303B9AD854C3B6F638DAEDDAE5077C253E91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:39.745{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:41.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7CF0A734B12F2A45FA962181C4BD4B,SHA256=FBCFE8E959B3F7D7A7DD4FBFD9070C7DA676094660B4DBBBA6D045F26EC8098C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:42.938{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB340F1C69A573D75E0B5A5A1D589B1,SHA256=DDAE65D70D8A4EEF00A1C0E169D724D90682E9549D9307E9597BE2E10F1CFBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:42.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A49686453617BA5CA790FB3F470E09,SHA256=C8963289F40187443A7A4B236D38E821009B73D2B4AC4AA585A09C70C3AFC6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:43.959{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01ACBB1A4C3155B283564492DC418FF3,SHA256=5921D06D16D315AC5FC2CB9BECD25F0E7B70E86614C972537E03E5EE3C943798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:43.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1FD8FA1725BAEC7178C767A4355603,SHA256=3C93258CC8B6B6346264F4DB247FC2122FE39020F40A0C74E488C2F9FCCE3DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:44.974{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB13EF56E761BE813D5856DF0EF392C,SHA256=421CDC5136D887F963459DA4AB44FA5B945CCB597CEE286A788198CB07A6D0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:44.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE254C2ECC56EBC0C2B723D34C1258D,SHA256=EB4D98FFE5673B5A37F92F821BBA0119A6300515CC767E43DCBD6A4FDDD3E07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:45.975{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3021A15EF847C9A41C0FC4C35E3799B,SHA256=121A19B40A8B5C69D6445BA39D459C837E6694DC9FFA181FE651A94D4438F787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:45.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D1867A4D776D3F07A7C3FB9BC675F2,SHA256=F3A2921EBE1134A21088A13788D0F34922FAC23084B6C310F4B88238210306E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:41.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52331-false10.0.1.12-8000- 23542300x800000000000000047466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:46.989{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF815F38FFEC611E2651B67F50362F7C,SHA256=0B2C50BED73D12288AF33A8A013FEA40C63C21F7DE6D997ADD219F2F767631F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:46.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BEABF2A482F8016F356248976DD00C,SHA256=BF9EAFB5680BF7C68CF78FB05BF6DF588774014F2DC4A2E62428326388F958A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:45.698{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:47.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3200EC5C5F94EAEF17957AE2ED093E,SHA256=F0E88A2BFCD444FC1A61F5240A0D4ECBB8E3E455C5A090B430D7B8D0E936A641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:48.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8754DF4C1BF30BED8BBD35AC6362EECC,SHA256=05642FE070AE1AF62CA9B477DDFDD910073B269690AB26AABD87DEE728D45072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:48.004{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C742E8FEA10C5DF5544120ED7BA37AD,SHA256=9917F20DE46F01D00167238229BC7FFF2EE86B6A18A6A75FC69380C3E70CC1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:49.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2CDBB0FEA760DB670D87D5D951B537,SHA256=6729C77EA287FE69FE53A6E9F0D54B4F73C3D17CD49E89028D210604DCABCF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:49.036{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B0EB123405672427A6D94914B1663E,SHA256=89E11FF5967BD8F5EE3870B59E80D293F2FCB073CAC29DBB1A39F5DE664D493C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:50.832{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A4393BB12466414A6B754F7B5BA26439,SHA256=AD5F34B2DFADD74566EE20B2B0EFE904973052B3E299B505A09ABED8FFA7F73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:50.035{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4342D200FDAC2DDEE95A678783B58F87,SHA256=26D5F1DAC0CC33905DE37E7CB9F6026D94C4B378EC37DE77871368A1EA56B893,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:46.184{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52332-false10.0.1.12-8000- 23542300x800000000000000047469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:50.057{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12D25E20E942DE89D612D7AD4508032,SHA256=F42A7EA385B4A5AF02666C4A761F3C1538C19AF50AE6EC6650EE368C9707A20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:51.254{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71673E0AB7CA0D02AC26ADDB47F9764,SHA256=34B0C2AB08C4242DBD18CD1B587BBE62187D45E708472261A50BF9F730129262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:51.172{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:51.072{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420A8200F747EE3DA6DCCF6513CCA1AF,SHA256=F30114906844314421E2BBB30868E13E6E5671F3E3359AE29BA11DA51D48FD32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:50.775{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:52.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB1BEE3BB68BA5BCF4D2ACEF52FE3BE,SHA256=37AD733D16325BC6747E03037F7BD3CC2E6B71001ACFE08EE78A7D71F8088C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:52.087{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03843B5434CB956218282B18BEE8B848,SHA256=E208EF171DDDD7C557FEBCD631C48594503966044DF34718D7859616770545E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:53.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DE199FFE486C31FDBEC38E5D113568,SHA256=7A1F3C585AE8FF58028B03FF0B96B63DFE3DBA5242A255A3109DAE7938554687,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:49.084{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52333-false10.0.1.12-8089- 23542300x800000000000000047474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:53.088{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D2ABF3372A6BBECF3EE4359D745970,SHA256=93DEDE80E40DC32551CE2AB2B37AAE666F9F8A3533E0F589DCA5F338B8830BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:54.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2888F48674C62B4A35BEAEA7B9D13539,SHA256=9BB113BE2F428D11438AAF3AB52C18AFC3F7D71DE52511D057A70F76AAD2BC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:54.103{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB3819A9E4ADC301A77E787D52537B9,SHA256=235BE31C910D3664A074B1090CD638A89F4998683B8CFFA83FCE5EE7A965A2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:55.941{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB400FE97621534B5B634A72000CEBA2,SHA256=59F597F1CAF1DA620AF83071B7C7197A6C5ED7588DE1BC34E9E843A2FC229424,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:52.115{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52334-false10.0.1.12-8000- 23542300x800000000000000047477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:55.118{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8AD6D0E52ADC2BE5C46EDE7F81C638,SHA256=05AA89349FFC11E54F62C2DB67ABD27B8ED8BB07A5673B89420EF07EA3AC59A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:56.136{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38C88F476CA3C534D473802EC4A9822,SHA256=72BC7FB431EE3B7FEF992D126EF4725A468744ECF3F158238F10C33EF7574318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:57.035{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ACA61846EDE64C73C81965EA478BAF,SHA256=4082DD890BE591D146B9865D731B66CDC6D2AD1D00E4DCD7FB0F75BDBF29EC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:57.154{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95036380A90FE6E21D4DE3230A846EC,SHA256=359DE5F04B3FFD97F6BA250023A3B4E46D8862B848A23AC763E28C91B82465A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:58.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D7B494EF1DBAA04923B1C69A6729EF,SHA256=6CD4E5B0EB592E0836E76AB8FD819951DE830E2609C48878D0AE878FC3B72E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:58.184{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA6CD9459DC50280A16B643E3C76B0F,SHA256=6F2C0E350BAA8F345A803CF82E85344F573C91E4564172753F8F481AC13EDAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:59.215{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A0CC44160A74234AF8277CD0F26592,SHA256=8E9DAF3CFD7515B260BC5C0529C204A2374038B6F03E71E592AE5FCF069151F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:55.822{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:59.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299D52F90D268D3314562E84F72621F4,SHA256=94478D78D2463B239909B8681A0F99881CDD78DA85FB2C7E8D344B1A48A6373A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:00.232{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7A638A3AEEFD0887025E02AEA1BD46,SHA256=907D8798B2BB024B5A8EA5F88E0F0317921A0669C0F47416DC46E7136B2EC9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:00.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6172F4A5EB078A9F981DA647D6BF0956,SHA256=7E2134E71C319D243143CE7DEF6C07410AEACF360B5C24C8879B44CC54C75A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:58.079{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52335-false10.0.1.12-8000- 23542300x800000000000000047484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:01.250{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAB04E5E26C4768F7D911E54E5D11A8,SHA256=B5BD2E200FA7E715D59DFE4D9656B235A0B59FAC6BCA66D148B190CAD5A5EAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:01.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CD6CA0F18D1675F28004060A3BF1FD,SHA256=485D8E2D842C8AF1F8A136A001C91F27D9E37BA7DB9CDD0398AEAF4A31F98F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:02.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7D6C6C879CA667B2C96A87C70D63AC,SHA256=25FAB54BFD513980DCE2ABF2F349DA464BD02CF4ADA13B333EE9768749AE43D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:02.253{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACC30D794948B38CBDBAA2276272144,SHA256=9A825E3DC7D8304CD6F9F7B27D9154A0A547D68B713D30B040447A3F2FC27079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:03.283{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AF962410466BA42AEC00058B129AFE,SHA256=8BDB81A984299807D1B53D82BB8F98C53982AE577FBDB32DF0041D376F1B9725,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:00.838{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:03.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D558AD3F218EA9D07004659788176708,SHA256=77AE2727E82BB28A527C7A838A9F79307EC59FBFEDC53F80BCA19342E9246E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:04.284{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2132C3E38A8810B17DEA0813AC6697A,SHA256=8A1E86259B520C8B7F6C854897DA31C4828ED54CF2F0536EB82A6C3350B3A3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:04.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C47FF392CE6766095C69B3C31794BD,SHA256=7AB3ECFBD3C248960CC764BF510D2F4EA3C68A2FE97BE0EF76AF7F45F4CCA7E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:05.314{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A785290093D2D5A14870C16664EBDC3,SHA256=29315A3DF09A3D5CE163C85F12F8652DDE8BBA274A530FF8AF5F083738C96DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:05.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E2334D2B20157C13E63165A2E65811,SHA256=2BACCC69015DA45FC9EA2CEE31FDD212F5B368D5BD4059948E4CFFABA348D578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:06.350{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E987F44BE23C4E400968E0C451E8205,SHA256=96741F418B03C6C915B8EFAACF0DC3EDD45AE6DD423F80ABF77B14D1D062011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:06.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B453CB4A2403522724EB799B6D510452,SHA256=6EF68A090CC79E9084C62E160AED07BEAFB54395025AC55AB091D3744D9FB731,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:04.041{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52336-false10.0.1.12-8000- 23542300x800000000000000047491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:07.381{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9062E0D8E7CFD3D9E3AFC753B6291D,SHA256=8217B1588883FD11D9DE48ABB19A47E5DC5962F135EE5A06E8E00AAF23DB4330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.895{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD66671087AE57572AE7AABAED6E8F9,SHA256=83422183ADC7633986ED47C278FE95749DDBC1D883D6FC21F9FCE0CB9413DE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:08.411{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9B97B025B272ED8B1556C4019248C7,SHA256=2CE838CFECA7CBDD968BD2195DF08DDEF609F50B7D2FDC5B2EE4C3862BD5A0A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.567{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAD21B2EC49216C4B04398D9CC92181,SHA256=0CBE3685068271C36CF92E95A5DC6396A65778A8CEC64C343E651E3BCF198A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:08.349{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=17C6DF3A10ABC52D50B6D62EB055454A,SHA256=2FA38668FC0D1E017B7511717F4AD7818A0206A21F0DE67946FD0085920B5C81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.035{D371C250-BB6B-6124-B606-00000000F101}34682536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:09.448{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C47BA5F130B91FE19625E40CD510A2,SHA256=46F1706343F8B31B322D1DB139A211F4D766CD9D6816A98608C78AE1131413C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:06.697{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6D-6124-B806-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026762Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BB6D-6124-B806-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026761Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6D-6124-B806-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026760Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.239{D371C250-BB6D-6124-B806-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026759Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF0F119B7350B33260F794C5EC6C89C,SHA256=8FBA56CEEAB9485EE9594C703D59486FD5291B20328951FCE953F031FC5C63D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026758Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.035{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE2B2328946CD4E6B7E45083D251DB7A,SHA256=AD0FB4AC34E84525B4215D3E8DA77003B9924B3CB1C43B962336F7A3A0442A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026757Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.035{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6BF644B31CBDA3FCE772381BBB3DB0E,SHA256=E5C76F2DDB3C07854C366116FF015A093FFE64979316D15F302AF5CC5CA79FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026789Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.461{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F1BD52FDEC50BAEFF72062B037BEA5,SHA256=EC369421E92F60EB9F3727C97526AEE9138563F900D1281AB380A64CB33353C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026788Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.461{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE2B2328946CD4E6B7E45083D251DB7A,SHA256=AD0FB4AC34E84525B4215D3E8DA77003B9924B3CB1C43B962336F7A3A0442A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026787Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.196{D371C250-BB6E-6124-B906-00000000F101}28442820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:10.463{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B079748F8A9E948E96D8BF81CF7ABD,SHA256=D391C0D4C09FEA14B2422091D6C2970B9BEEE69A85AB526BD59EE4873FAFE011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026786Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6E-6124-B906-00000000F101}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026785Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026784Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026783Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026782Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026781Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026780Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026779Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026778Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026777Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026776Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB6E-6124-B906-00000000F101}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026775Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.039{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6E-6124-B906-00000000F101}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026774Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:10.040{D371C250-BB6E-6124-B906-00000000F101}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:11.477{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBC4CD1E1DC6D7DEFC390246978C713,SHA256=2942DBB6048417403B1B0C493C2EAE2947FED335E68627313BB877E7A0E20D63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026818Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.805{D371C250-BB6F-6124-BB06-00000000F101}31243700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026817Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6F-6124-BB06-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026816Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026815Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026814Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026813Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026812Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026811Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026810Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026809Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026808Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026807Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BB6F-6124-BB06-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026806Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.664{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6F-6124-BB06-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026805Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.665{D371C250-BB6F-6124-BB06-00000000F101}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026804Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.383{D371C250-BB6F-6124-BA06-00000000F101}35002976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026803Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.211{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471F5B5BC2AFA37ACE5DEAA6078F0FE,SHA256=4CAF2C7EF9458EA8FC5A00AF4AA12E90B9E6EA1D5B337F5B253AE73EB91CECA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026802Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6F-6124-BA06-00000000F101}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026801Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026800Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026799Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026798Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026797Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026796Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026795Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026794Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026793Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026792Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BB6F-6124-BA06-00000000F101}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026791Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.164{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6F-6124-BA06-00000000F101}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026790Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.165{D371C250-BB6F-6124-BA06-00000000F101}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026833Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.321{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF5DA6A5404C27505FDFF9EEF6CDB4D,SHA256=6C4741DCC364E0B519DB56F8C7BABA5FB4E913DDDC875B68C8DCB471983DF95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:12.492{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9B18BE5D9BAF6781C113488D438365,SHA256=C5C04A787596AE4EC600BDF7ABE8B0391FF3D87665758D89AF0F8F48ABB00AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026832Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB70-6124-BC06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026831Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026830Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026829Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026828Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026827Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026826Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026825Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026824Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026823Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026822Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB70-6124-BC06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026821Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.289{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB70-6124-BC06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026820Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.290{D371C250-BB70-6124-BC06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026819Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:12.164{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5986ED8477330D943AA37E4A6AFCB0A9,SHA256=FA7ED72C8007A7AD2D2876ED1A1C642D9339AA6530CF9C25D706BEBCDE7AD169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026835Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:13.383{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC412B79F0EFA6696A06F16BB1D133C8,SHA256=5E51384047ACB13F21D691E6549CB30C2A33F0CA26E159F8966151925D6F05E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:09.122{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52337-false10.0.1.12-8000- 23542300x800000000000000047499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:13.507{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29AE799C0AA205E3259F3F96817C3B3,SHA256=09A24EC4B5F2FEFFF6CBFE184EB9F602ABFC71C94402E17D012F4B0BCA47E816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026834Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:13.321{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD350E5AF2CC6EBD4954D1207B89E16B,SHA256=0EE9EB3CB2328502D4E279938CAD320D7273C9BD7F0044D75E729E5F4BF2110E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026837Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:14.414{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5775B5E76F7D73B2B725F17DF41D0EB4,SHA256=45596F9B3FE002C681756DCD844174208C7A5395D1E5D9342BAAF99214CC1BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.528{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B042AACDBA1C3DF5236BB274763A458B,SHA256=800FD4C67E299747D52CB54309E123651FFD651D0EBD8D7CB7B25E24A2761450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.528{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1EC5C89AAA4D0F50173A5874BD3032C6,SHA256=F511F086C89C9AC0060D2DC83EC3C052B428B970E34D4802D5BB37C3DDFF4FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.528{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5116C8E32CFEB89AD716EEED226C6C53,SHA256=95E00DADD31C6DE0B1C19D54D28C967FB1BD89DB6A9ABC294FC985C62DEF738B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.528{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D3B1D0D63DEC78EE0E23F01CE97AB13F,SHA256=5F2461FDD3A78F8B566198C44DF1E78DCD1CD5D40F18E2AE134F907621A806F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.528{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=21B1C4517F1E8482170AAA9FE833062A,SHA256=508C55757906220F0B4D1871CEBA2220F4AC339DE09E7AB08750F92D7B2F6AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.526{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=C0400B5639AECEA9F306018DF7CC3F1E,SHA256=825127791E5ECBDA24A1FA961AA56AD34A7B4839E9777A363E49F6ED2556D97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.525{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B0DCF72B5D42FF61D30B561A2C51233E,SHA256=37FBC5D7271EF14EBB5640E6BDA168DA45E97CE2884A03FB8B07A1FB6CAE66AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.524{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1241559C57FCDC0562C967A942CF78DE,SHA256=E1460F8B035DA8581E791A058116A3AF0C0131B8F4D1CDE77C4AA277E247BA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:14.523{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=AB5B79B30C7B4ACB0DEEEE178D9EF3A8,SHA256=8AB99A84DBEEB2DAEC16CA2FE57EAC80F71B56D4DB7D8E2A87C5164FFF5D6B2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026836Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:11.765{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026838Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:15.633{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EFC8B184654D270BDB5E0BC1D86485,SHA256=AEE105FF57360AC62944C7BBB2E10F9953A478128A43D61F2EB66CDFE6CE69B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:15.544{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA12951B2C083FA945D6CAFA76A7222,SHA256=7D732EC04A1B2463AB4F351275AFF72E242924F35F85F5840B2EB2B27EC7A6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026839Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:16.868{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE43829C740645CB7F270B16212FBFC,SHA256=61BB246958FB0E3D505BC2C4063FAE32C84C247AEE074653E65046EF3EBE50D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:16.574{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C704B7B7663639A494371C1BD3D98D8D,SHA256=BBE2E5A896DD2CF3EAB115C28CA0591BE5E47CB859B034AA00D62F5A2AB3DFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:17.589{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC5B565E1D8747D307121353875742C,SHA256=A52102898325E9C289C43124DB5005A08B26C7E0C54FC37AE080596BA52EAF02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:15.101{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52338-false10.0.1.12-8000- 23542300x800000000000000047513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:18.603{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D59298192386AD3D5472CE2DA38212,SHA256=F85BFD2A0892B8B61AC1C3A740F4078A107D060D5C650FCAE48D76208FBDA302,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026841Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:16.874{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026840Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:18.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C436CAB095CEFD499CF00C7D49B7047D,SHA256=BC1EA1E334EFD59CD9E9C6CB84954D0B9534005B1B0D59F07092AE79910F772A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:19.621{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663EBE0769440CE2DDCE7B61CE9B90C4,SHA256=7980F067D04394B865ED2C1CF62A667847E01953C3CDB56F4818E74322EDC4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026842Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:19.118{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED8E88B4437EE08B7EDCF9FD2BC301E,SHA256=AD520881118327CE00BD15A42833FE5D00F0DAB4DADE2E7D508D4D18210DF67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:19.274{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-113MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026843Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:20.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6AA12FEFABC3CC210D044ABF5061ED,SHA256=2BF595DEC35F0AEA5DC0583EAD686342F002F8F8A2B099435BE53626387317D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:20.639{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6A7536EB9B05297E44EEA4EB1CAB8B,SHA256=A92C77A69866A3C4C843521470D05AFF7C915C52988831BF8D78429812E0B3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:20.287{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:21.655{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEA9CB20D1C4D8ECB17BF44B6469AF3,SHA256=29ADCE74AD3F113AE1AEAAE566488A1A211B3FDEBC42A9FF91651513793BFB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026844Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:21.430{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177B206BE1E57C18B2910ED5ECCF5D02,SHA256=0EFD7789463732BC957A513D10712EBFE0BEDB7636314E5082B7F564EED46E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026845Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:22.493{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141B757091E389F44752D10ACE2EAFA8,SHA256=2B04DFF6BA5E74A985786AAB8DE3EC0C39476105A4AF1ECC88F3CE60F78A2AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:22.669{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B424AFBB2EBD651CE6511D9CD487FE2C,SHA256=70456803B07167A55C1E8597CF78E5C4A4D3BD7E59A0A8BF24709E559361AD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026846Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:23.618{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7C5C8EAD161DC7A29E5D1CFCECDE25,SHA256=87964674C4A4C2696AC8A1A6B76378DCABF1E75321D4587916CD6A6268A97275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:23.684{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13134CD5E29AE69AAE1614B844B5FC94,SHA256=4D815D59C81291F12E9FD38A14F729B38740254CFFB25ADE354D0DBD2BB81DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026847Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:24.868{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DEAF3CC07FEE674F2E74A3A5BFCD01,SHA256=579C8ECC35854277B550AEB5C246B2C386F757284DD5E689EE698BB331BBB149,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:21.097{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52339-false10.0.1.12-8000- 23542300x800000000000000047522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:24.699{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44603E49A3920B1705FFF59AA0CF3E8A,SHA256=C8A56A0419F4129B000FDDE1A499C455BB4F8FA95982E7E21136800D60049C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026849Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:25.930{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476BB9B01C29DE808B0887188990F14F,SHA256=EFFAF115B38458BE1D4753E3296B24ECF19FB5F382F7E0CDFD5F6277399A2368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.720{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8CB68F494965656D5A0F6A908D1BE8,SHA256=1EEC66B05863D8998CB4475D07DBA351D567868444128E39956B42B5C68E3B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026848Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:22.874{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.667{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB7D-6124-4D09-00000000F001}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.667{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.667{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.667{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.667{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.667{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB7D-6124-4D09-00000000F001}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.667{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB7D-6124-4D09-00000000F001}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:25.668{80A11F3A-BB7D-6124-4D09-00000000F001}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.721{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D6CDEAE93C63640B3D50B543482C81,SHA256=07C5CED8657058AE9FB4B611DBC0A2242D23BD41CFADFBBD501561BA003FC7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.690{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A79C5F70558C724D8ED79177061FE7,SHA256=932D65A8EB9BEE7BAABC239923D8D5FEDA5D480188E491D2D0884EF96A4395A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.690{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E8BCEFB907C2505CAED669B89941EF,SHA256=69693231715CB58F3F11CF770782E30BC2C69BCBB15453EF97EB0DD7983A907E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB7E-6124-4E09-00000000F001}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB7E-6124-4E09-00000000F001}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB7E-6124-4E09-00000000F001}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.337{80A11F3A-BB7E-6124-4E09-00000000F001}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.935{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB7F-6124-5009-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.935{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BB7F-6124-5009-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.935{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.935{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.935{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.935{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.935{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB7F-6124-5009-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.936{80A11F3A-BB7F-6124-5009-00000000F001}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.736{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0192FBC4C6FBCCD351E7F10FF8D850,SHA256=81FD52C03A008BF4764175AAEF20CDF380B3668729F5336BA0EC6CE1659BF29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026850Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:27.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C546FEE3A70553FDDE3DFE8E12765737,SHA256=47725562A1CEE88CF88BCFBE393077FCD60A074FB52A97689A757C5408D07227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.189{80A11F3A-BB7F-6124-4F09-00000000F001}42722252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.005{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB7F-6124-4F09-00000000F001}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.005{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.005{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.005{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.005{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.005{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BB7F-6124-4F09-00000000F001}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.005{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB7F-6124-4F09-00000000F001}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:27.006{80A11F3A-BB7F-6124-4F09-00000000F001}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.757{80A11F3A-BB80-6124-5109-00000000F001}71323368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B065654EDCE3AA878600872CAC4EA5E1,SHA256=9810658AB2BBABC9B81BD29F7CE8BF12B0CEE17547D9CAE7885B777854DE7C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026851Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:28.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BE12FA26D434DAC75EEF190DE8953B,SHA256=42E675FFACEDA9660255DBB1C42C640F27EA45FFA0DE1B98B897F8A8705C8706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.604{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB80-6124-5109-00000000F001}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.604{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.604{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.604{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.604{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.604{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB80-6124-5109-00000000F001}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.604{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB80-6124-5109-00000000F001}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.605{80A11F3A-BB80-6124-5109-00000000F001}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.156{80A11F3A-BB7F-6124-5009-00000000F001}9844760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:28.020{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A79C5F70558C724D8ED79177061FE7,SHA256=932D65A8EB9BEE7BAABC239923D8D5FEDA5D480188E491D2D0884EF96A4395A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.955{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB81-6124-5309-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.954{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.953{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.953{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.952{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.952{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB81-6124-5309-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.952{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB81-6124-5309-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.951{80A11F3A-BB81-6124-5309-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.772{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D264138F5B1A9B07DA02226DCA474A,SHA256=BBA45CCF7BABCED8DA9837650DC9A1F9AC1CBB804023952457F022984F98B25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026852Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:29.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A09FDB8D19D1DECD6D8136E914DB835,SHA256=108449DE397DD787C7B1FB36D24D4D684121840CD0F1ADA71CB58B46DBEF38E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.619{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=812C65A379E1108ADFDBE1FEB3C0D58A,SHA256=A6484839424C8E761EA670FB7E8A623099B66392ED28F6C207E9CF43E4B13550,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.451{80A11F3A-BB81-6124-5209-00000000F001}61926860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.288{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB81-6124-5209-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.288{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.288{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.288{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.288{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.288{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB81-6124-5209-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.288{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB81-6124-5209-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:29.289{80A11F3A-BB81-6124-5209-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:30.971{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE8FCF6C087AC99E5AC230B93362AD0A,SHA256=3D29E706D2F7931FE6392A0116ECD61ACA4D83DE7D2DDDC57B8A257F09EFB81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:30.803{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2485A5C2E1D61D3DF481316DAC5FD6,SHA256=8EDF4E9281A05E885E3BA9DD0DA41B310B8CF8F08A1897B1FD5059CCDC82A4F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026854Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:28.624{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026853Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:30.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389F520408488FF20EDEA112B0073013,SHA256=9A1A0C64186161420DA5163F3F8D98834F299F828B8A08741F7232DF549E06C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:26.180{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52340-false10.0.1.12-8000- 23542300x800000000000000047596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:31.833{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7339E587AA6AC0988FBDAD25A6176E,SHA256=51EC3F318E630E976D3AB944D5E11ADB3FF120317C1AF219686CC359D2424A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026855Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:31.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C498C9101D859CBCDB2AED1330E7BB8,SHA256=12BBFD0EE129837E778578BD3FBA61053F16CC53F62AA7188A95B17019EE87C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:32.852{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46090870DAF1F00C900FCBB3E6719A9,SHA256=365F737A6B339298A93027E81D37AD700627933987F660E4ED97F7ACCDBD07B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026857Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:32.852{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026856Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:32.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C4E027F34998AA497BFE8ED3679A48,SHA256=D95957F87D1ECCB14756068B3795E5B56367C4BF9D682E81387E946776F05323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:33.869{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DA674C68FA9865940BB35DF73C9C87,SHA256=36EA8C3A5A73449558A15456764B12F6A2DABF4ED79B4BF088612A8B8360CA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026858Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:33.118{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5465C802CE6ADBFA219BC603AFAFA258,SHA256=227D2A7B494F16C37E0F2328209F9B93FFA95708B55D3BF9BB2971B7BEA83BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:34.900{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0504A5BB3E0FDBAD240D574EEA6C90,SHA256=5D3BCC1D5D08CAB9510BE3EC4C6E1867B49590D0865583EDFE9664FFA651F7B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026860Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:32.453{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51014-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026859Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:34.352{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCFABE5D62AB807EBDCF8FB61CEAF2C,SHA256=27CD2600696913C3FF7A0780A6A11EAAF32FD1E2981EBA52B6A219C291476DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:35.931{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B94030F6CBB8704528F5C9B03B2D24A,SHA256=0585FFC7A113DBDF460E1FFBEEAED32608ACCF9514388EBA36ED9FC2D0C433D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026863Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:33.859{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026862Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:35.495{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D111B9EAD8CF21A9D598F0C76E281462,SHA256=72AE56226A4428502A7EBB80399F83C4ABDD2716343A3FC6464629FA41030A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026861Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:35.480{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-106MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:36.948{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAF552F7515148AB0282493DA29983B,SHA256=81DF51D03BB370EA743CB67BA2FC452BE64B4728AB562D47BE844239A9E20A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026865Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:36.556{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F51B1891C801033585A7E00F9A95A6D,SHA256=266B2F4AF65BA9EC7CF58D4EA54F2E739D2A2B7C0D166974014EAD6EE910ADA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:32.030{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52341-false10.0.1.12-8000- 23542300x800000000000000026864Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:36.480{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026866Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:37.777{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91224D893F495E29BA2A4B80906DB0E,SHA256=554476B37608610D39A2FC28884EE10A7F68872A0A51958686FCEE727F390DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:37.966{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A9B0191E25CF71CA493B0A61619236,SHA256=C5CD2C6E95AAC2C4775D8569F7D16B3AA7E19E6A90100B1831397819BD5A53F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026867Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:38.855{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF2920EC481ABEF81E86D20D9E9FEDF,SHA256=B696D292F420C04D966768E8919718CA1D3C428B05FE2F7832F303AC40E7B7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:38.981{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B81972AB3629EFC64EA286B3E819626,SHA256=8317C3AEB58755DB1DFF29A7F2810ADD1D52DCCFAD41A39C6C98998FFC79286D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:38.750{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31B43580FD7018A0FB2860F8F62FF370,SHA256=D955C402B9144EABF8D540448F7C85F2B2B3BC0684C45510D5789677EC671D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:38.748{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=361435A9ABCB714FCDFC90727A9EAE4F,SHA256=ECBB057B9A9D3A1DEBA4FF1588197BD780A3167F5AB845F57613959EE7A44D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026868Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:39.871{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74ED4A5BAA9E05FDEF64A84367826279,SHA256=7B1BB62B35B368A3B4F2AD7BB6A467EC613F426DC5E4A174DEB4A63BBCAFC622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:39.996{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B237B89E3912BAB29EF23DD8736205F3,SHA256=46AD26961D0A974C54FB8BBEDDC2B7F7973A679BA6C8B3F131DE5E166B8F5464,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:35.643{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52342-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:35.643{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52342-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000026869Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:40.980{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F26723D24411DBB79C3CCAA854A1A3,SHA256=F602F3A55B0681548B6C5F0B6FE107DA60E23F38B9BFDE23DED103876E90A265,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:41.226{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:41.226{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:41.226{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6bb9a3.TMPMD5=DE2C2DC7AC7CA60981DEDF95D7D42EF8,SHA256=FCA4BAB71BCBD425757363A708F77D849276031ABC30B3CE7F82EDD60A2457E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:37.110{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52343-false10.0.1.12-8000- 23542300x800000000000000047610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:41.026{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AE539C5EE7D3D3BB568D09343887AF,SHA256=0DADE71B84C2DF6569061F6401D3850C86F419CF00407369F45C4E642B094D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026871Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:42.105{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE4D69F413E93C50C9BBF6D74C60B58,SHA256=46EA7224C8D11A129DA879939A62AFEDBD8B14266982A5A07F435C2B048CF846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:42.045{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06864AEBD0D3A76FB67FC6CCB5841AA1,SHA256=E0F70745F2F8F0736E2284D97E64DB6815299C308419D4E454E8F63823C01831,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026870Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:39.753{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026872Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:43.121{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7373648FBF26A57709D7964195536AAC,SHA256=72E5806AB2028A84CFB8B805260425BF16B80D59774E7BD828E4AE1F8EBC2488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:43.062{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A43E387EA52945DEC3356A77DAE8FB3,SHA256=A53A26A7B51493A396F164880645329731649073754D4D86BE0A2CD51E4E2853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026873Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:44.121{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FC145C1858E5B09D06C9C5AD052A85,SHA256=56E1392AC11AD9185295B39F469F98251A5149957D8511917EC21536611E7654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:44.077{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8190F1F5D58BFB682AF86EA378DDDE11,SHA256=7211D9B9382C69427B74D60EAE5BFCBFFD2B71DA263789502E3FB37392BF43AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026874Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:45.137{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3FD086B2AD23B987CBB1AA7FBBEF3F,SHA256=8AF677A37CA79AB270D04836B9459E86D2EF2522AB5E13874FBB2E4194DD0EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:45.091{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE38EE3BE6E49D4B4BC75672ADD73BF,SHA256=BF53573F1D94F86219FBA403F036BC17ADB61AB46C44779B16E954D4556958B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026875Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:46.137{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0240943584EF7E156A74F88B8B0C0A,SHA256=F4DDBAA9C9C015FE88BA4C2D8FB1728B11BD974FBA92D9930CD9A5326A6C76DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:43.105{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52344-false10.0.1.12-8000- 23542300x800000000000000047619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:46.106{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CB7E68487D8FA7441E35853BF2AF0C,SHA256=4AEDFA7D93EBD909DE06BBB196D55FAE32E67942DFC6E812A949D4149E4A1F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026877Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:47.230{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6641E7739D36DA077D60D3A476A7863E,SHA256=AB18D8112AF575A753FD548FB558BDF879705B04F5D1F009E407B31D4054E2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:47.121{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064A36E24CD3479E2B1D5D5B9274AA3A,SHA256=24C1F06C5242561484342CD506ACAC53E764FCE0125761A4E10199C2BFF64C9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026876Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:44.831{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026878Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:48.371{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2484EF9563424F5DFC7D832FA3F8A0,SHA256=D993246E5B5E687621B4246664E6E12D1BC47CFAA025D3D4372E302D45CBF0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:48.357{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=303EDBAC2B00393EA2C57A1C6A9CADE8,SHA256=B8E5C94061C3CB5B9EDDDB7E9643F07B51D6D7A4DE983E153BC2F3A8F62DA6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:48.357{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA7F088B69B7640BBA4009725306CD82,SHA256=31B56FC2C3201B689A3120782E5EC244E824F490E5F00031325E18E1A49C459B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:48.137{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664D2F2CB7B3B92870BB0D87E3D3DE67,SHA256=4D3A456D3FD33570DED6C1C2B1176A2DE56C3E567587827C8744062A5909F3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026879Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:49.605{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7EC8F91A76BC911F470415C4B141DC,SHA256=29FF6D1E3D44B5138FAAF869E1B06152B6AAB0747CA37A74563FCD4A3EA0AA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:49.141{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5828BFED4A3CC0A14FD5985B2A8BE381,SHA256=FF7190313C4EB45D0D29B76A2BDE92A0E35A19B232955FFCC4CBA1AD0F5A2A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026881Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:50.835{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ED1917AD034BE4380716286729314BF8,SHA256=4AA8899F24704F994D4FAC2EAC5372ADD14AC72A50D658624415B24A67621181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026880Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:50.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845768D992C75FECB714576D9562B1CB,SHA256=1B7C9A7C6D0E91CC480D2C5847E419D662D3635DCB9DB81943F4866DC4FC5AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=DBC71ABEBBA4DFEC69C40CD28A836828,SHA256=CC74C5D29C20CA6A57F3FB33DBDD2FA29C8F91A7FDBF01EC79B452749EEA945D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A48BD2EEB0F0435F9F84C4B8E979B5E8,SHA256=93A77954BFF50FC75A3B98B28E02FF92E895CEB467BB8857469F638320D01B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=096AFE9C977803AC070B67E2E84359B3,SHA256=5120B43B0B7271704AF30C711467B8E509D7F00A651A68D6ABAEB468813AC76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=9843E04BA2D1A5EDA2EB34C569738F3F,SHA256=7169B31BCA3E1EA0DA8A83820704D1DF46CE587DFAD152FCB2EBB78BAFA76BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=06D609E2539D627C35156CE7556DC748,SHA256=7880591139C67C6CFF6BAF57007CA47285C67F20C1A75F5BEBB80F658C390387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=3773A66E2F682C2CA491F53750DDBADB,SHA256=2B5681E27307AAD2C602C67D6D719521D842CCA4CF29C41934F47FBEE3AC4824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=30726727FC285283E95B094F9FFC66DC,SHA256=62A1087F8CE78CE4D8999EBC452C9BD642F84FE962FCBA585844BC5BC48AB758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.457{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=2A6A491567AFAF444B88446EF791BC5B,SHA256=135A0BD8F63D14FC08C57C6CBC97B755533D98AD05178CD6725B2B284F76F85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:50.157{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BEA62E1F4054A5F18F29F71D3E8F574,SHA256=9DD27CB20155C19AC95B3F6E675A01BBBBDA346BCC7B54F076D4E11AD67A2894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026884Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:51.960{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A91D1DFCEC396D70EC1883F40658DB,SHA256=654935AF47C86BE9465B82E0B13F0D9E781AE4FDF02CCA8BD7D9756BD533EFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026883Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:51.226{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE53C82D0E3B5EAD7D457239DD82BD93,SHA256=2D28E7E559E4158ABE6D01BF7B2DF523FE76F08E4864CA7EF516AACB79006E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026882Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:51.226{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DBD938801C3B7F808F99178499481ABA,SHA256=11CA090F9088882D5C4B85A4F5C64B354259CCFAC5B08F9F14A172B10C85BE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:51.188{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:51.172{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64848446F4254A807C65F06041CCF2D,SHA256=EC5331A68EC819AE0403B0F9D08A4A4352D462E22E2F959AE0486F71E0BF8A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:49.103{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52346-false10.0.1.12-8089- 354300x800000000000000047638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:49.086{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52345-false10.0.1.12-8000- 23542300x800000000000000047637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:52.188{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266D9C8A47FA4893465E2DB1FDB462A4,SHA256=ACF618D32E4E305F1D92EA4A234F1DB39EB6108BEB574262B97C302E18044DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:53.188{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC9D0F79B01D5C2F4BB71C74859429A,SHA256=8242D5F223BCDA02E9220CE597C8737783C487543634AA35D6EF29D7F65F6E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026886Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:50.860{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026885Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:53.134{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB4B1FAEAEB79AC2E1F99A9550BAAC,SHA256=7F52F5A8245F96448A3F1BFD41AB3406B4177B3225A2132EBBC657941CF33180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026887Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:54.149{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1021CD4671F1EB11832EA39BBC793491,SHA256=76C385E0164A4556D2892DE2892A0754E3D334745445ED14D485FDFF43E191BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:54.219{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F78DE619F340B3F5C5F4A8E24BAF76F,SHA256=48E6CA3FED6F2B367981EB817FBA437C9907CC00F205E1C1C9B90442193C5D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026888Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:55.368{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F318335D05321B17214E5BF352E617,SHA256=EF9D2ECA44B5DC382B14900060F4D36FF1FBC7C6EB8715C51A51DD80188B474A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:55.237{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC74522B002820BCC5E122DA5EEC26EC,SHA256=8D637E129C32164C978D35D0137F7EFBF561DA907805995BE0187B2964FD3CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026889Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:56.415{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B275232F5B5B14134B9688938C4874A,SHA256=3DB4F693930DBEB678A0EF5F7FC6D0F7A4401F024683F6459748D51F130B8087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:56.254{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1BA7E94337FE7B6EE93EDABF927B30,SHA256=5E00F6D5F79D7C071CE641B80B9B2E485F717B0F5123596CFF6D2F882330AE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026890Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:57.649{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F31A6D066AF25AAF5F022E674B342EE,SHA256=1E9BCC8D89D38135B8451E452045E7C4CF20F3757988F2289CF6CEC8CB28AF62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:54.100{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52347-false10.0.1.12-8000- 23542300x800000000000000047644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:57.270{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1760D522C48C1C1F06045E1CF2DEF17E,SHA256=CE40A3C8775E0CF39D7861EFC910A08E315F5D6B5887B63C7DC15C09D75090CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026892Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:58.837{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE5E121D4D83B37E6E70D1B96A0DEB2,SHA256=44510CC286DD3692F84EF914672ED5ECB7D23E153D04A91836D26034DC4BCD6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026891Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:55.875{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:58.285{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECFEC5103272987F3329C330E281487,SHA256=1ADBEB8B5CCF1CFFC85FBE26BBC3F5A5056643C71C2AA509155672EFC3D8B0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026893Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:59.868{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639AE402F2A335FF875908FC732CBC84,SHA256=981B9AE0B974BA548E7B89850C0E21C98DD87E36E85A142DD8F05C3DD725F96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:59.315{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227E90A6D9CF79E8580685747214EFBA,SHA256=459FB97A09443DC97FE437691AAE2A5CB58E4D1D5F283839E2A1103ECBF61954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026894Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:00.884{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3488137A6A8DC1FD83C699B673386DAE,SHA256=C083F25F2BDAD188AAB456847E9383886D12706DE48AAADF048270BB6ABE3185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:00.315{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CF0ADEB4B81D6E6F49DED6D151B695,SHA256=8B614EB5E43E7636E83BF2EA37F1168DCC1ED79768DD7DE72C47D352AD3D8EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026895Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:01.977{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCABCE6A35CBE29922606FE2672C60D6,SHA256=977435B90B4654FF63622B421D02B542DCBF9F743FB023B84656D094D6781742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:01.333{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F004A2F7FA0D660D1D6E8ACC8FF49FC,SHA256=BA31CFD5458E494C6C8CF75FDB758789B2815499851FD88C433DE0EE3C3AD072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:02.351{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB97D3F497309D7597593BA03EFB3AA7,SHA256=92E92CE64FC442E83704DE8CA1E1BDD335BDD5BD58F5A333BA8CBE734797C89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026896Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:03.009{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D701F737EA8B1FC62ACCA6C36EC6CD,SHA256=8E1D3C9C132C8A070969F8E7E2D3A152B989B3C5C96A5B2BD1A6C0093BA45AB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:59.982{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52348-false10.0.1.12-8000- 23542300x800000000000000047651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:03.366{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0DA45E85E965710D1FEA954EE753A3,SHA256=82212618B8760314C6489D3E8506781CE53563C03A4A43B5FC5503914E5FF810,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026898Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:01.844{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026897Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:04.149{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE03BE402C81AB06ECD0370B46D82AD,SHA256=11FDC6232B83BF8B802CE3B56BF9CA83272E5816B63532B61CAF60FF116EB63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:04.367{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F058A1FF72AF242B34F82A3C1AF7793,SHA256=BA52B0677DB2233BC69E85AE861ECEB84DA88C161D7E969B311A88DAE9E37340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026899Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:05.384{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DE6ED0CD3FDE8350CF966E1BC6256B,SHA256=7E43ACB3EDE6DB64358B3C8EB36FE6BD0341A40D1245521D0A3AFAF24B87DC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:05.368{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61768393D0FF2C9C3E58FD7DF0985AEF,SHA256=727C4BF20AD540A824129E2C8E8F34DC4BF6BB3FD911B300DDE4AE39D489F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026900Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:06.415{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BBA5F5E1F4494ED5A19BC3C3FD6C27,SHA256=07F11D8DD827BAC0F9EBDBD62D5435A665FFFD0F9D3022B2DE0AF6328F8650C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:06.382{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63374F0E9F11730569E4C2A8FA0AFCB8,SHA256=4C3BBFFAE20C4AA7852956E01397551D693F625BF42B80CE71C9094B48FD3F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:07.398{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02027D630F18112B93E0078949026D13,SHA256=6A462D1B9DE755D68F2CC828AD43D24BA75806873A1A660E3CB97A7CC9CCEFED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026914Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBA7-6124-BD06-00000000F101}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026913Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026912Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026911Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026910Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026909Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026908Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026907Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026906Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026905Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026904Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BBA7-6124-BD06-00000000F101}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026903Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.852{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBA7-6124-BD06-00000000F101}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026902Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.853{D371C250-BBA7-6124-BD06-00000000F101}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026901Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.462{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FBB364AB724267366331FD22C852F8,SHA256=2762FFE86E7BEF87D5CA44B59F040439A5B2D37DB3B6C13F951E45D03C6E023B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026928Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBA8-6124-BE06-00000000F101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026927Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026926Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026925Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026924Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026923Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026922Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026921Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026920Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026919Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026918Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BBA8-6124-BE06-00000000F101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026917Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.477{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBA8-6124-BE06-00000000F101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026916Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.479{D371C250-BBA8-6124-BE06-00000000F101}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026915Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:08.462{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518131E3754999032F16CE635078C6DE,SHA256=E194DDE77E95F2D420BBD955C82394CDD171571ECF11ED975DD3B43A12874327,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:05.096{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52349-false10.0.1.12-8000- 23542300x800000000000000047658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:08.412{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B547444BEA0EF815CA93B79BA25A9D18,SHA256=98433B8377D61309D2A3850517D1E29390198A13231D0F785B88286D6D54A3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:08.350{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=68978C0C849931509D3CD4711BEDDAD2,SHA256=D92544806BE813070818A9750C854F707DB9BB312251D8D2B13E06EEE514D087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026945Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.727{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CB0431578A1D349AA1C4EF296F0F6B,SHA256=3731171714E6211B07F4742E81697CB9CE3D97E117DDC36FD260420B236647C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:09.449{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF81A4AFC6669EC595165285130954DE,SHA256=46F12F5E2C1164E5A6835245EBC693E432EC7CAA12CE48E7A11B7089910749F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026944Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.259{D371C250-BBA9-6124-BF06-00000000F101}36962388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026943Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBA9-6124-BF06-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026942Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026941Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026940Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026939Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026938Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026937Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026936Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026935Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026934Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026933Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BBA9-6124-BF06-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026932Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.102{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBA9-6124-BF06-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026931Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.103{D371C250-BBA9-6124-BF06-00000000F101}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026930Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.009{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D26DB67F92C4D0A52883152ED6BE1D,SHA256=C63BBEB905B7C7B14A692D94FEA4A2463986C1E2DE200FE89339AF451509C102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026929Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:09.009{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B143447BF29B8E080CB030862D7A381A,SHA256=B3895F6A81A1C7D0E7004F0928761086296CCE733B642527AD88743B8585EB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.852{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519DF0985EFF459D011AA5DDE403D5A4,SHA256=6231D3B3CE25DF2AD7ED07C7715B2C8B29694B12B2C0AD737057714A0B99D71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:10.464{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BC57C3AB76C91C8699DBE84BD32C1B,SHA256=7FCB4194783313E31A1714727AF14FD8ECCDDAB8C68F743D8076ACF539D77642,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.196{D371C250-BBAA-6124-C006-00000000F101}13841380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.102{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D26DB67F92C4D0A52883152ED6BE1D,SHA256=C63BBEB905B7C7B14A692D94FEA4A2463986C1E2DE200FE89339AF451509C102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:07.735{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBAA-6124-C006-00000000F101}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BBAA-6124-C006-00000000F101}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.040{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBAA-6124-C006-00000000F101}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:10.041{D371C250-BBAA-6124-C006-00000000F101}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:11.478{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F9604283709D698B48A7E918253F86,SHA256=3E5E0595E01D458DAB9096BFC754672728043E51E7E6A7BB71A8BD8CD91864F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBAB-6124-C206-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BBAB-6124-C206-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.837{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBAB-6124-C206-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.838{D371C250-BBAB-6124-C206-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.337{D371C250-BBAB-6124-C106-00000000F101}25521676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBAB-6124-C106-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BBAB-6124-C106-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.165{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBAB-6124-C106-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:11.166{D371C250-BBAB-6124-C106-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:12.509{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE9B09FE012ECFC09BB08666801EA0B,SHA256=0FBC32FD23C1FEACF0EBB8A96D29A72A28E21702FFE8B8F0AAC2FEA6418BFE28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBAC-6124-C306-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BBAC-6124-C306-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBAC-6124-C306-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.509{D371C250-BBAC-6124-C306-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.165{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21FE5DAB83F14B9A93ABF8BC9201943A,SHA256=766342EF1173B1012B935A91233247CAF4411AEA655E241751704A699BC3D56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.134{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C74CDA4979EC54261F033CF78A02D6,SHA256=6505E86932BF62D563541851D8A4281CE908B3AE4E4522982D04637F26F38B14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:12.009{D371C250-BBAB-6124-C206-00000000F101}2242840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:13.509{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C305455F266921A79D34DFF9C5670247,SHA256=614ADFFF91458509A2475E6EFD58927F2D0719A1C929D8C2DFCE6A10D2523454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:13.134{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE861984BFBF28BA91ECF9675B64C43,SHA256=5C588421EDB054EF1622E2C821C5CA3B3EBAA3599FE22C5EED4295247D09099D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:10.177{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52350-false10.0.1.12-8000- 23542300x800000000000000047664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:13.512{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB00DBFE5835006B8BAA6AF4FE4591D5,SHA256=D76371899C6650C68486F91A9807A27D30EBD4285BE7B40010C2ECC3D9A68737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:14.531{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A74122AB7DFFFC91497880500067F33,SHA256=6C865CA15229688BC2B28A24F26CC630C7327F93B314E1710A72FA322E3710CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:14.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA43FCFB61D7F687F098FB4D7B310C28,SHA256=0DCAAD84CA928E560D1847AFBC8BFC103A36FEF3BB9B68B3C7760FA29FC7C95B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:15.827{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:15.549{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBCBA76515FC73E23778BB0BA2F5D46,SHA256=87B73A345982F91199138F52B08A56753506C15391C48B140C5859BDB35AF140,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:13.735{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:15.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D3E92AA860F786E9ED6ED0D94CA762,SHA256=FA287F231FB04E88C25C2B882321F2CADC67BA30A9B37D0364FA00A21A5D8AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.780{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67CE245A8951241F582F0EEBECE7A14,SHA256=9C4A77C6778084A58E8F90BA86937C8CF9AA8672358F0BDD48283C3D52E1D6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:16.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA903E40BA384DE2E5DC0B26966CEE0F,SHA256=C2AF68872FF7958480194C7E519EDE33DEBA181B3B543D982C73BF5B0C9F45D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.049{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:17.781{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAA5858678FA40863090A840EB8436B,SHA256=C403063EDD5CC89EF1E8050B46EF69BF69A2994EB35C34B5259568A3CDC6FD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:17.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3F4CF12BBC4EDAF5369DCFD04ABAED,SHA256=671143B24C58D7BAF4FC199BE83E588B1C29587AD95C4C72884FEEA6FD49EF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:18.796{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A0DE0D4FB7256AAE6F94966C5E6B62,SHA256=119C225AFB615D872D7CF6B2FAB2524E66E5C626B9C265C5B49C8CA4615CF673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:18.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27169285CE6402B1266C89546C1EEB90,SHA256=FB4F21570209C69C2C9DD631F7D85CE0EC2F7BC74844350C40F31B884E470E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:16.043{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52351-false10.0.1.12-8000- 23542300x800000000000000047714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:19.811{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8907DA3ADCA66510BAB51893B3188806,SHA256=72405102F78084053483765987CB9B8E71D066EA2E6C72F792265063DB0E1E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:19.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F64386DC52D30D65440A23EE078192,SHA256=FF9A7266A58D5E9AF8362DD7EFD5AC56B9C353018FCBEA414AEEDB6CC8B4C811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:20.816{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A610CB8856079EB38CBD53624AF4C5BC,SHA256=E1342B79B1176527CDE60A0D421B1981574419743B0E8A8FB6D06E1F7880A219,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:18.735{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:20.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA7831A0F4A2D12B61AFF653040D268,SHA256=EA62AEAEA2E032197B5F864A02233EBE34807BC47B18B0EDF835B0580210346F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:20.813{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-114MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:21.828{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A901523AE864F747967BB9B67F3E80FD,SHA256=B79B22FBBE08CE0DA607600EFEC9D08091FDAF189DD20C0042072331A1949497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:21.827{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-115MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:21.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C2DBA378A4B913BC8C323DED4B5E47,SHA256=21BB18D8B083695667E72398AAC7675F4109D4705CE0990785E8772CA4152C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:22.847{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE488C94C1100D7EA796EE3F6999859,SHA256=1003D2C47D8EBA6F8344F667E3CF1B4CB0188FF4387943455DC72911EDC92C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:22.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28206F8CC0C976F2583FBA5037EF17E,SHA256=D426BE9EBD205F05865658300761774534D2761E7F3F17462660D11ED97944FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:23.861{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66739329AA313560157AABA3EEC2743,SHA256=B6AA50C6400A70F2AB3C916C9A09823BAE404AABF6D95A0640340D92732C80C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:23.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14A54B203FED7E68B53B73041A9004B,SHA256=4BC3232EBE878F5BD4F6B56C2E45FDE084D0611F6E028B71281043D94C5FC183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:24.863{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F587BBC871819D9926F57506935072,SHA256=C0152D58F48127768E2AAF1396C75B7D025E70E566473CF47CC09CFF305D2E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:24.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ABE432BA8E567740622BDC1D206F60,SHA256=29CFCFACE894989CE35DBC33C116786A4C3FBA1F0A2502D71E54E532884C5584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.891{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6358F429744C017FA428669FE28BB8,SHA256=43E20EB3DA7BB276F354D18CAAE9458F484FAB95076017E5D8E15189A0B6CDC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:25.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C15209AD64F4AAAD861469C8E9CE8FC,SHA256=735D57B1BF7A03F1A78DF0B06C8E76F9F8F87F0E3FC979167A8656F81DED90CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBB9-6124-5409-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BBB9-6124-5409-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBB9-6124-5409-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:25.676{80A11F3A-BBB9-6124-5409-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:21.108{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52352-false10.0.1.12-8000- 10341000x800000000000000047751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.943{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBBA-6124-5609-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.943{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BBBA-6124-5609-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.943{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBBA-6124-5609-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.945{80A11F3A-BBBA-6124-5609-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.906{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731E39F2EB490056A463557C9FB33BE7,SHA256=5A03C60BDEE9BA17110BC2F8AFA04D72222E7BF1BC94237B11C4A1D81F57F4DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:24.704{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:26.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5D779DD2263FE6BF5587215BFDF6CE,SHA256=C27E1B068BD62EF244F9DD8B0C30DFF0EAF00771D9A0E26488F5883533393279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.706{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47ADD8881D32DC2CBF961A50F42E70DF,SHA256=EC9122DF44F1A32C4BB722C0E2970812642F28237041F63106E17111F02F04B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.706{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31B43580FD7018A0FB2860F8F62FF370,SHA256=D955C402B9144EABF8D540448F7C85F2B2B3BC0684C45510D5789677EC671D15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.359{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBBA-6124-5509-00000000F001}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.359{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.359{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.359{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.359{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.359{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BBBA-6124-5509-00000000F001}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.359{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBBA-6124-5509-00000000F001}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.360{80A11F3A-BBBA-6124-5509-00000000F001}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.958{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47ADD8881D32DC2CBF961A50F42E70DF,SHA256=EC9122DF44F1A32C4BB722C0E2970812642F28237041F63106E17111F02F04B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBBB-6124-5709-00000000F001}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BBBB-6124-5709-00000000F001}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBBB-6124-5709-00000000F001}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.943{80A11F3A-BBBB-6124-5709-00000000F001}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.926{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE804B2583BC5EC7451AB9FFBA6E449,SHA256=B185C68D6695587626A78C0AFF04B24C94306FA55A7D0811B8B8E44D8235B105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:27.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EFBFEC0C58F8FA768062EA3A47DA8,SHA256=C9D26BE5618730E86F7FB25177426FB23DB0047B54AA9DCE259884E4593C8BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:27.190{80A11F3A-BBBA-6124-5609-00000000F001}50966372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.942{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C487FB052893265C8858CE0A3075EA4,SHA256=A61989D10CBECF3EA21CE390E11E24CFEFCE6EEA2D38096B925ED0D9D7C82661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:28.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F3EFA6827046C49F0B6CD8814C97FD,SHA256=45E7BF08B5F5AC52F6B38D2CCA018D416BE8F3B7AC48F4EE32244A6A52BC0B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.757{80A11F3A-BBBC-6124-5809-00000000F001}61925608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBBC-6124-5809-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BBBC-6124-5809-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBBC-6124-5809-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.605{80A11F3A-BBBC-6124-5809-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:28.122{80A11F3A-BBBB-6124-5709-00000000F001}33684744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.958{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3174EBAB1C1BC5CF9FA3FE52EE8E5A7E,SHA256=B6FB72E52D5F39E910FCA07DE89A25BB827E82BFF2330E23E1C4D5469477E46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:29.196{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB025BAD921CA63664CB91E08485EA2,SHA256=C287F37CB4C6C3588985E214953A7C839343041CB7FA3B00EDEDFBECE37B337F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.826{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBBD-6124-5A09-00000000F001}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.824{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.824{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.824{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.824{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.823{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BBBD-6124-5A09-00000000F001}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.823{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBBD-6124-5A09-00000000F001}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.822{80A11F3A-BBBD-6124-5A09-00000000F001}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.606{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BAC7E7297397153BAA58BEFDCB8014A,SHA256=D7358D55BDBEA865C2350320ECDD1A1A6B083453185CBC9CF5A7FE786AA5011E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.375{80A11F3A-BBBD-6124-5909-00000000F001}67242176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.204{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBBD-6124-5909-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.204{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.204{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.204{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.204{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.204{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BBBD-6124-5909-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.204{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBBD-6124-5909-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:29.206{80A11F3A-BBBD-6124-5909-00000000F001}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000047783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c7477) 13241300x800000000000000047781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c2-0x039586b5) 13241300x800000000000000047780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798ca-0x6559eeb5) 13241300x800000000000000047779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0xc71e56b5) 13241300x800000000000000047778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000047777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c7477) 13241300x800000000000000047776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c2-0x039586b5) 13241300x800000000000000047775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798ca-0x6559eeb5) 13241300x800000000000000047774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:29.042{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0xc71e56b5) 23542300x800000000000000047805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:30.974{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E8344F9D0E10AB58FC0C54013CFA31,SHA256=BEA34A2E725CADE0DD442FC23B404DDCE1ECD1749F047AF53EE907FB54D7BADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:30.205{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3D8C2D5BFCAAE630BAC83CC2A3CB09,SHA256=EF8DE1EB0E507CB6933D5AEB8292BF06381FB3FA04B6735AA6C70AABC3B432ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:30.842{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9452A48654673E16959BE060C69C7E,SHA256=A21429C16F9F2A460B345A19CA5716AAAC12723B159E23679E2AB6E906F915E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:26.155{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52353-false10.0.1.12-8000- 23542300x800000000000000047806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:31.988{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9C83E9BB33A112F4475AC13E5EBA55,SHA256=258F27C7DA918D1250DBE11E5BC94541C2B244758CE8B0D0E14CD2BA0497BE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:31.205{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1141098EF660CFE682F4E29C8430DB,SHA256=D94E4634F468E9AAEA4E76723DE3981AABB528E504873A923915BEF5B154D143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:32.877{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:30.682{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:32.205{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012C031C84A7B3A1BEB8079BBB4EA8E9,SHA256=8F0814532EB9299E45DA42F735F8A71335F0D1725B69F51513972ACF01C0E3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:33.205{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30F43BA34828945CC35B77750B24918,SHA256=DDEC15BC1147E046CCE7D723D5816BFFE598DD1E8069105DD1BC91B470AC9CF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:33.740{80A11F3A-9FFB-6124-0B00-00000000F001}632680C:\Windows\system32\lsass.exe{80A11F3A-9FF8-6124-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000047807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:33.003{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FAB4D7508EECAE6B10DBEF44DAE5E0,SHA256=A95336417711F01D5AC4906A4420CDAC402542DA75263F3E509EEAA720E15C80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:32.479{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:34.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB98C8226449B48DC26A73B9681AED00,SHA256=B96C1186A478B811EF9936511EE2786F00801492C2C6244C661DAA3E866049A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:31.675{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52356-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000047815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:31.675{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52356-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000047814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:31.584{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local52355-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000047813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:31.584{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52355-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000047812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:31.574{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52354-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:31.574{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52354-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000047810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:34.655{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3E1668AA7ABE33473463415CDA52171,SHA256=4A941355C4AE02E5874F60F7E91AF43FB8D4EF9326E9744A0D791682F24ADF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:34.020{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8282D3DDF97D48705E9D26F43CC8B8,SHA256=D8B9D1960B44786A0A33561ACEFDA0EFD18875F3F2FAD9E94EBDF59E7357A793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:35.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F3B89557BA6F8C605918D0A4B0DC9A,SHA256=493C771826DF36B3AAD9D9B36F34372C2867E10FEC69792C20B868A12078547F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:35.039{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03922A177CB461AEAD3F6BE8AF547DEA,SHA256=B99FBDDA124EB02FF17A8A9C2289FD482E8CD81E171FE0A324DC34FD3C2C0CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:36.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731B130B4188F28EA5B0F359627D80E,SHA256=29A712E469F034B16821B1118317BE28E55F870481AE25B80D402CF24A2B59AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:32.102{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52357-false10.0.1.12-8000- 23542300x800000000000000047818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:36.069{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC9D52DA7C2A4C5E085D7F867BA03D0,SHA256=E3CEC9F86E3C582D15855CBEB3CF59B9B62F7DF5BA410D50986B3537F39D659B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:37.626{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C6000F9A2D1C5E4C662B367C7B14EE,SHA256=6BB7228BBE1FF1EC7128D420964985B14002D526C91F603655CC050469BF1B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:37.084{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F27DC43463D794676D202B63CAFE57,SHA256=C9E80264F580BB39AE80D87FE3E9A0F43EA73216EEF078B78F282E5ED9B41547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:37.004{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-107MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:38.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12A2D85C716B0E0C5E10ABF088C9C68,SHA256=A9D796782F05C430AF429EAF5EBE74D69ED06843AED21CD28396B5D3B96BD965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:38.737{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B4D493C16FF05E76B6AF70D13BF64AA,SHA256=C8E978688903910668131E7FA8B99B155FC8769E6701A3720E52ACEC5FCE622E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:38.100{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5C671D48781EC071CBAE23C35B855E,SHA256=FC674C0EB581DB4E28E5E70FECB6F2298DD35378B0868BDE060237AEC5D737E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:35.823{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:38.017{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:35.647{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52358-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:35.647{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52358-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:39.118{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085B166E1F99F9AD964FFA8EE6FD3347,SHA256=21CACE357A6FC494130BEB4872FC0CCD03D289F71FC0CA2BA47FE414B73287D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:40.095{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA3E61502B4A31C4EBC4A3CFE29CD95,SHA256=558C7F3ED26030AF2060786DD472C70E5E37A7C435306E443D27735423E08693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:40.138{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A839E4AF2A8E9F1096CB22D997DA76C7,SHA256=375A08FC418614EBAA970FBBB21BFFA7890EF5673D4A84D39E79C4A8302ED9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:41.153{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F28AE26EABF35ED9E132FCB075D4483,SHA256=EB556EC5C9DE1F798A9F1F2EFAA205B8A4404932126516AB366A3745BD43BC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:41.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A92E233F622260196D305197919981,SHA256=BD3272D929424E18C3D06CE7CEF671613A9C615B8E26C0C9282587E1A83433DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:40.854{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:42.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6A87C8709B07A1B4BFF6FC66F5B086,SHA256=0EFE90B5611BC83B9C55CA801896A38624C37ACBF8911F5E116814D39BDF276F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:38.048{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52359-false10.0.1.12-8000- 23542300x800000000000000047828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:42.171{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA8B62FC3A507E8A3E7CA0C618DA98E,SHA256=819611B50FF6235B14AFF405CF54C65040C07FD6315E7474EA37AB079C94421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:43.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AB4C568A2A98D97C8F69180A9AF45,SHA256=416D725BA41F29D68E2F0EAB49648DB27699D13B970903A92A157375F96B004A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:43.186{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162C4975A18C2BF8926221EC19F06E43,SHA256=85391D298754047A4E460D628126EC2D2B694A4734029267D6B29B08CD919363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:44.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297C1FECE6B4E0CCDFBEAE5B2753A64F,SHA256=7FEDFBB71B2F8D08335F4EB2D913DDF17AA7F0557CCA3CBAAA9D32B5593AA16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:44.202{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782CAD3D3FF3B7FE982514872C403705,SHA256=A72BB872E3E10048174C4CFA0028AAD65F8BAE1792099CF6C07AE2D9E025F88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:45.538{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAF56F6BADF51F14B84B2FBDBD806B51,SHA256=00C68A3E82438F0229901F290EB048626057E644CA0055D5BF16B12C5D41AEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:45.538{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7185901F9E4A17D4ECFEB72EF4D03A98,SHA256=C1D72BF8EB4B27541581A569F6A7B87F4C43C9F9B69F5E786016D254D7C199AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:45.239{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E384BED03B8BED86DB33E2C9AA5E6313,SHA256=86BEDC3FF5313DEEC145EAA6A736A3EBE03F3905B2AECB52F359D3702EAA4EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:45.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EE7FE7771C5C3B933242886ABF1AAB,SHA256=9C8ABBDF3C5C1DDB917FF399A34BAF43CE8A0780C1DD8A8D3771BD7B8CB77B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:46.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFB996161F57D1B90E871AC8BC4CF7D,SHA256=21DB0AD9028E422AE4BC12145070859B1EE07BB9491CF818AAF9C8E64D0418D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:46.253{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5FD455D28251CA21797A03745A5E8D,SHA256=42B1DD9855B2D70209D7820E19C7DDAE43A9FE7D1833FCCFDB8EE7C596C48087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:47.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282B634BBFC33128859E822F7B84119D,SHA256=81CC24A947F00B9E959B14F389488F71A9B5F0A881A801AE5E33B9F9E3B3925F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:43.070{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52360-false10.0.1.12-8000- 23542300x800000000000000047836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:47.268{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4098F76EA986A999AE46537E9292B64D,SHA256=385DA01A1DA526E8B4F497FF822FBE1D3E7078D1DE8F8A0088DB46EE6B75EF4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:45.854{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:48.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1491C88E2F248D424B4E30B1A43F53D,SHA256=9C2E437BF22AB8AF23639CD51B2E3DD3592B5D00E8E00ED16D0C3AF5FB623705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:48.283{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645FE93B6C397A8206031F628FAA32AB,SHA256=E8BA84C1A00633469AAB9DDF23A0E45270F44BDD41A4238E614BF85CCEFCC292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:49.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFED5D98AE42DAB6E0982A230A98F2E5,SHA256=CC7426DCBED6F5C4FC0B55B2795C0E9574FAD33886EAE0E255823A23FD858B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:49.316{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496095DA0A9DEC34871DF312CEE648F3,SHA256=45F7C0200DE47ECDFD8D8ACB69A0F18DC5E4BA739DB87AA2F1897BCBDD778464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:50.835{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6B2E3B9CAB845D1BD878B9804AA7FD20,SHA256=CA4C5D2997BB0CA23FB405FE7B0076F9DBBA3816FFC72F2C9DC91011B8A75A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:50.257{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842C80BB9536757FE7AF6DF17D215CF9,SHA256=C22BBE467300FA088482637D7C486F153E41C95768458C873497A64E59DF56B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:50.336{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72F9827FBFEF1135E49D190584A731C,SHA256=53CC4A8FEAD53E10C28698A6C6C90AED866A960A86FCA3B1128C1E2D7E5F67B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:51.257{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E514434AFFB7CC5CEE923025B3CA7028,SHA256=058456E69F195FCD688E67B1B5FBED21B8D1031CDE059D329E521CB728D75A13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:48.082{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52361-false10.0.1.12-8000- 23542300x800000000000000047842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:51.366{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BF7B3FB7BC5B56A6FA971F726E3C80,SHA256=023C8C9ADE7508466CA6A75A0DA9C9DF401CF90E8E6C5C33FD260F76617BF15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:51.219{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:50.859{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:52.257{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CB1A6ED4E47ABBFB8D4DD276620097,SHA256=D9C4ACD7325482C0197651400504989D42D51568289EC965D82876AE7CF8385E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:52.397{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FCB73EACE64EAC7DF1DCA745F27255,SHA256=4FE6553C56023900408671A118B8C77E99DC2EB55B806E28F16F00D0253D2FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:53.476{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81718F665BB5E4ABC9F585698EE8AE62,SHA256=F43307099CAAE938A72A5F26F3B16581A1DA055AE57D685B1C07AF4EE0B80ED4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:28:53.995{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798ca-0x74bb2b19) 354300x800000000000000047847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:49.999{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60189- 354300x800000000000000047846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:49.129{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52362-false10.0.1.12-8089- 23542300x800000000000000047845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:53.414{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02142BA8ACD606537EE279E9DA34536,SHA256=AEED56289CE27ED9B440FE084EAEBB4FC1262FE7A33F6FE02AA4A5A330292DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:54.507{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DA20D1191F2C9009D12C98387791BF,SHA256=1CFEE376F2071EA02B83C443F0A1D92AE3278C0273B9C2EE5047B2CEF1B57E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:54.432{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A860EFADCDA8BC2C37CE6009C7AC4DD,SHA256=AA11B10F5A7812F678A15317DDDEE7062E9041EE56007814E023C490D5E2768B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:55.538{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EBC994D005B07791514F33412A158E,SHA256=CAEB37739BFD09B8B54043C26944A815D7FFCB4E165B2EFEA6ABC47F9A1487EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:51.910{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x800000000000000047850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:55.478{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833B7DE3BA1A1AA5443ACE2E96BB7E01,SHA256=4633186D88EA255557F1F54F45913783FDA2226DC29F1E9AF31BAB7CA6F46AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:56.647{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115A3BB89C53E0A7F980E5BA095830FC,SHA256=B85CAC227119250BDD56622192DB121044AD6A704ADB85AF02EC26B27933AA9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:53.094{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52363-false10.0.1.12-8000- 23542300x800000000000000047852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:56.493{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A705F406D5D51172257625E4FD161EF3,SHA256=5710EE4271053E6C676A84848E80BC8B2ED47F8E4F1FF73ADFE5D4D6F09A6ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:57.866{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B873342D1698DCA66EDB449C01AAD0E,SHA256=5B92FEC5B00E81BF119D89BF5D58DF544F087BB661962F9E1EF732688312A34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:57.512{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B393D5F8D87A09AD7D45E331F50C7A45,SHA256=943718DAC686F88101343FAD71D038ACAF1C8DC4614D2C391160E650B95AD580,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:56.687{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:58.560{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28280DF7F79ED0D0A0337E7720E41C30,SHA256=ADDCB57C9159B965BF478F9F645941396BFC2C43CDDD2EF0070CEAB3288F3AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:28:59.101{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A578A4AF7D91BE46A40E18FAC25BBF2,SHA256=DF7D79D447042472E2F258CD6D58D052506379D72A58DC2C1948D7BCCD39D5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:59.576{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E285D0644786604F108B68CAA9F64F2A,SHA256=4A0AB8943D462AB5B58E59F1954B9D471037BAAE168FF8F0BE29C87692928E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:00.335{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E136196F53BC6C6325027287020951,SHA256=1AF1BF56163F1A64CD029FED01368FFC1D4E991260ABD293AC81D83DFFC483BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5DDAA65D594FD849692911712467D2CB,SHA256=5FEF304150B95DD5EA9AA704076567488F40C9B198506C0E3144FE4C7841D738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=EF06AC3209758D2EBC5CE7331B4AC103,SHA256=5D3C23D7B282518D90BF672D1A2FA74BCA41CDEECC04D34F27DF7EDC7BFCD8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=DB3286B56853075FDD23B07CCBF138BB,SHA256=9C1C2F71C341C77F19FC51895FC9A42D5B3010CA13E4ECDF8DE977808C717C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=7A7813BC144723B40451B673BB1B0997,SHA256=0EAA288895C87AC5D539E6A3C0E763B9D1F0C107C7B7B9DDE92D7D145B94F71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=CE3DC54194933ED8843A6FB1B79BB38A,SHA256=36DFC61F12C0B30995FD4E5460DD5B238FBC9A811CC2C2D22AAA21B66C25406F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B3D51D12B4CC2366F3FDDB29AAF0F38C,SHA256=00A126DF107F6B0F27D3F7B419F1165743F0D4C2032DCF4537467F35C3D29B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=2EF19649E7103D164AD92D46729338C3,SHA256=2C6F3BFBE05DDF1B7C9D9A6372435ADC7945F136FA7C79A2C61DAF27BB01B17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=EC5611DBADA3AA19EDF434D30D7797B7,SHA256=42D548591C8F775DD2A2CD005217A23B147EBBAAE33338080BC2EDFF1E9BE483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:00.590{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7715270D587E819F17CC9886499B9910,SHA256=58E97DF583FB61B925F4735745AD035474614EBB829E53C45693BC728246BA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:01.569{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1DD429FBC41217464D0466510E1FE,SHA256=3257BF03A31A664097D890FEC737F39A31580C363A5CD5BDFCA3A3CD938B14D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:01.614{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A32858ACDE10C932B5B0BCA8E0E590,SHA256=EDEACDC2A1B9EFD1DF09D7AB927AB4CE8AC38F937F22EA2001265F51EC2958F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:02.569{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EECEFD5EEC12135254AE37B7893978,SHA256=83769CFF2692E37B8AD2174623AA806A6BB2C2985005356AC0B030A7D0F6385D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:28:59.043{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52364-false10.0.1.12-8000- 23542300x800000000000000047867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:02.629{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ECCECA69F61166E9183FA19C5EBF0C,SHA256=2BD203DC37DBDCBECA577C2A5E6D61EB8990452A5E55A1F891960DE4F2E13726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:03.569{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3322A121561A9B47FFC7368C2DB3A6,SHA256=572A878945C77629AE2C903D11EB7D23D547A6A25533457BC8F4452C7E3E8800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:03.644{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C879391BDAC02F6689F75B9CE606AE7,SHA256=F1B782A98E414504318BE5187F129D8E4C7F4DB51DF33D2764CADF40B887AE69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:01.781{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:04.647{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B199C169126F064E78104561487229,SHA256=6FF926347BAC59B7D0AB10AC20AC717A7419C4BD80E388C8E7CA62EF3058622A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:04.660{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B9A03BF8D4AC4411F569178BF6F566,SHA256=8CB1F71108C1B1B2D1BE3D5B59628A66BAD175A58F70B09F12134FE2E6396C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:05.757{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE6EB34D64CA605A64C52E034B6F7F4,SHA256=5A21AF9A7488E23AD89F465B19738A219CC4CA8AF9B785A61DB81D85A983F6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:05.660{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F944467569DA9290563A67C59A409850,SHA256=4B202F89D398911CB3A59F429350BF46728422149C290F22AB9AD4755AB4E158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:06.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18C50780381A4E55AF23AA01DF5C5CE,SHA256=CF6958E086666CFF59885A6DA1CE1F7D4B6EFFD7316B2981CC598B9F057A4708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:06.691{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E152B13063414F0BD3DF2F012C6AAF3,SHA256=A724C08D1B18863005D141AF3F0C47A84575227429E7EA668860100CAAA1874A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:07.710{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AE1E5726BD9143B752E9253F37F384,SHA256=51796296067D60F8CC2ABB1DEC6176B2EF93BFD495FE8B897513AF948EF867AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBE3-6124-C406-00000000F101}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BBE3-6124-C406-00000000F101}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.866{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBE3-6124-C406-00000000F101}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:07.867{D371C250-BBE3-6124-C406-00000000F101}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:08.726{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7200A46431BE89DE215BE5C4E1E282C,SHA256=EE107A6674256DA5658907424076F640E2750E44124E5DB2D11968B5989F5827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.882{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B96927AA869F0725772E65FDF427590,SHA256=31355AAAD46BFBBCD1919257893BD984581A23AB58174047C6D00D7883A4CEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.882{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4860454B15726DC33036F87A1D2FEADA,SHA256=48609FEDC63C2FD21ECC3E2AC5E589ECF2F0C2A2E66056369093A9D3362BC213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBE4-6124-C506-00000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BBE4-6124-C506-00000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.538{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBE4-6124-C506-00000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.539{D371C250-BBE4-6124-C506-00000000F101}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.007{D371C250-BBE3-6124-C406-00000000F101}17762692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:08.007{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C4BB090AC72D4F42E3CD8914DF9090,SHA256=2B656C319E65968934604453E22042A659616AB47C9704A449C7B1F881FB942C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:08.358{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6C68E6BBCA61BB6A67F4A6E4981A76D4,SHA256=CE80BE35B5A6FD14B17B4EDAFC187959943FBFF359B23AF899A7188347FA3261,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:04.107{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52365-false10.0.1.12-8000- 23542300x800000000000000047877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:09.741{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D94F2ED2858F3CDA6B357D1ADA7C9B2,SHA256=9CD02D668DBEC706C35E991CE1C731B9263C9BF9D5A0CBE8AC0BED6062254411,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:06.830{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBE5-6124-C606-00000000F101}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BBE5-6124-C606-00000000F101}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.210{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBE5-6124-C606-00000000F101}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.211{D371C250-BBE5-6124-C606-00000000F101}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:09.007{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC75684083CFD617CBE15F56BF3F021B,SHA256=B8ECBD8CCDA5E6291A4214AA9F5E4E90C823AE175655C4D648B8DCC0282AFFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:10.756{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB802FFE7DAF0B1A5BDB6439C0CBA918,SHA256=DF767634E7A66FF422C1254DBE622F10961B05CBC5756955445B392FD1788CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.462{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB23E4BF5070BF8D56B3ACF6EDA0A9A,SHA256=A3490B08ECE54CD63063824DC7A2EADEBAEE942BAB7093D67738FD65CBF4B033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.462{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B96927AA869F0725772E65FDF427590,SHA256=31355AAAD46BFBBCD1919257893BD984581A23AB58174047C6D00D7883A4CEFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.212{D371C250-BBE6-6124-C706-00000000F101}1936100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBE6-6124-C706-00000000F101}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BBE6-6124-C706-00000000F101}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.040{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBE6-6124-C706-00000000F101}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:10.041{D371C250-BBE6-6124-C706-00000000F101}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:11.771{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43ABA6AB612CCD9294704E7D0459FDD,SHA256=96D86F20437E7A29E15E4E39473EB99D3D46E40A3969054517B8AB3866B58734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.978{D371C250-BBE7-6124-C906-00000000F101}39083748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBE7-6124-C906-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BBE7-6124-C906-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.837{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBE7-6124-C906-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.838{D371C250-BBE7-6124-C906-00000000F101}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.322{D371C250-BBE7-6124-C806-00000000F101}688884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.275{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9AB5FF0431907AA651E82339B9758B,SHA256=20A6EAE559F1B26F501C45B4400BF2998C15523B7054E61A2DF1E28764500A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBE7-6124-C806-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BBE7-6124-C806-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.165{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBE7-6124-C806-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.166{D371C250-BBE7-6124-C806-00000000F101}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BBE8-6124-CA06-00000000F101}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BBE8-6124-CA06-00000000F101}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.509{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BBE8-6124-CA06-00000000F101}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.510{D371C250-BBE8-6124-CA06-00000000F101}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.306{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919944DDC0C90460129BA4312DD5B9EC,SHA256=338E5B276255467603CDE1EC091BCC5C36E3DA4DB2CFB890FE5E0D377D116467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:12.785{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AAD20BA1FED442F73B56CB41CDA5F2,SHA256=B516C64DD3624FF4AC133D41D31BC7472BFC01166C25E4DE39D472E0B24B8996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:12.197{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2679D1870046F8A098E202E58B83AAF4,SHA256=2484528121C38CB380ED91EAD616CA8AE190C3853D93A1F258CC0A10756A7CD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:11.831{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:13.728{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B0220FB847383899D58688C19AE589D,SHA256=5BA1EB2BB16F40B93D7DCA38D14F155391E87C7DAC03FD5510FB4395830177E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:13.540{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7276772A4D3BAF4DC91DF0CBE7519578,SHA256=C57D652128BE3EF05707923CB81659265C6414E79F14DBA6A3CE2A8F3A1880F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:13.804{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0823C41A76219AED0C4F18B97D91782,SHA256=5C98AAC5359FEF15849DC0B57EA12F749BF0C5C5E0C9FE0BEE0770F03731EE7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:09.172{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52366-false10.0.1.12-8000- 23542300x800000000000000047883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:14.822{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90096020CB05B6904F72758BDA783B1E,SHA256=1A8819A1EBFEED7E9EB3A995A63966414259BB2E5DF157FADE05E2F4AA0311C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:14.697{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F840632F96009FADB89269C108F3F941,SHA256=CB2F648DAACA33C209C1BE08EBCFBEFDFFAC9A232C6B927B813F84B945D29319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:15.712{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF28EE1F07FD6B7A1FB50952ED0879,SHA256=770785511B396E0FA0BEC8DB9C564D9DCC3D02B506E2A59839421E435312D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:15.852{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9F2EBB12D2E81783522F1474961A40,SHA256=93BE52B61F34EFBA5DFE03CF3D7FB3350F1F8044ED77F596E2CD9F2401DC76C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:16.947{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA712438447C18451B3709011BE7E52F,SHA256=385E4DFA12D8922553A38A4CD59F7DD7E72A2385324A6F377070F1F964042932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:16.867{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D638E6ECF4376520A99C8B8ADE46281,SHA256=4EDBC2474F3B6C8793E3EB709A6011C5E38C78884079CB342D256F6C23A4374D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:17.882{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB565F476A9E4B8B0E8F5044FEC7EFB,SHA256=CEB3CBACB89A298797DC01241FD8FED2BBB8B8962C50CD4B031B670C0EB738E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:18.900{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1051D1FD07C70D567CFE0AE941A97A79,SHA256=301368D92E94D5926F495236F2F8077B90EF94EFBA559ED9C40B5AFF7C8B29C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:18.181{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C4D009CE6991F84F4ED5526AE5EA71,SHA256=FB35992686577075051810376940CB8CD9FF8C42A4B89D5E67609BC1434D99D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:14.570{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52367-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000047887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:14.570{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52367-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x800000000000000047891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:19.918{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277B4027E9FD3BECF1C800F5BDE171AE,SHA256=B93C67EB797D153DE8D3B12AE261D6F2AFACE29E75C6EEBA9225649A3B6735B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:16.877{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:19.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D62CF1DF43712DBDA8C756994F14B5F,SHA256=60ECCC03A7E33C91C46D90B467315D8B15D00E9EF92C41F53F8FA925949FFE71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:15.184{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52368-false10.0.1.12-8000- 23542300x800000000000000047892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:20.933{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC1773A8067FF1BCA6D27E1C6DEBB78,SHA256=2E969907EA9E2352CAAD3DAFEEBEB3B7C239123F7790A9BC9B2FC97358BD7F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:20.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E11C2C53416BEF3C1062097F1B7A35,SHA256=D3F7EC446E1694BF2AE3D32062ABD675C152205F887B7E05C12B1F0D3E2F0821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:21.948{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A467714A39DB2698D5F86D2DC0F21CE1,SHA256=3BC6CCE5C0E9428A3B785629BB44A7D35A0B567C71E8C4DB0C9A02187F60280D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:21.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32A405884241FA340FD9F4D6E905772,SHA256=4D07CB55C2855008EA3DC223F9BBA0923AE0F721B0D66FBC46639F7F86644785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:22.978{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EAF12BDCF4F16E2689A9C7E4F5034A,SHA256=7C01A22F2632BCAD82BE0BD34D219C21C1F4141DC0C868AA7474A7EEE573FC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:22.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DC8A3764D7C79927EEB4F42EEF5D54,SHA256=FD8A233BFFFF7E3A481AA23AD86A0532B88C9318FBBA2C3F586A7A933B384BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:22.335{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-115MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:23.996{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B5D589CB8CDFDACE1765F7E0A1ACC4,SHA256=CB0BF1A636A7EB163D3BE333A0D391FCDDD4161714770FCB4A7DC495FA6E6A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:23.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EC0A1E0B7A547B981F7D2225E6DDA8,SHA256=F7CC6F101525DAD08EA3BD1827FA2354CFCAF1817684C419BA57B342D24E6BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:23.348{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-116MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:24.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559697A6DE31F772C3C3BAD6C35403C5,SHA256=378A33B7539412FF8A75767EF9372C18E21CB58EE9DC9780B6FBEF62C49F3512,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:22.659{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:25.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A5248432FF98E0FD546D4EBCD9A09E,SHA256=B094D15395CD87C379893C4B583C8BF3CC805C81AAEB645EE07875DBB743B1AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.677{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBF5-6124-5B09-00000000F001}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.677{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.677{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.677{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.677{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.677{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BBF5-6124-5B09-00000000F001}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.677{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBF5-6124-5B09-00000000F001}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.678{80A11F3A-BBF5-6124-5B09-00000000F001}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:21.148{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52369-false10.0.1.12-8000- 23542300x800000000000000047898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:25.015{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96C8B1FB0F0B4C3CC97409CD3DC3CD9,SHA256=FDB2B49CFB6064B8618B1CBE30C1BF467B19DC1C26A13F13B0D85CA3F42B595A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:26.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D98177EE2A4E3882A593C63C53DC299,SHA256=A709EC7CA0EFB2FCF98339C1DB3A967D6C6E03F108E8B5F6E2B13613B294CC1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.861{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBF6-6124-5D09-00000000F001}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.861{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.861{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.861{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.861{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.861{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BBF6-6124-5D09-00000000F001}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.861{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBF6-6124-5D09-00000000F001}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.862{80A11F3A-BBF6-6124-5D09-00000000F001}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.699{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA344957F46C503EF245AF9C9A83565,SHA256=7D097C861CEAE81405509F00D161749CE7D6F8EAD996DF20DC0BD97A22FE7CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.696{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAF56F6BADF51F14B84B2FBDBD806B51,SHA256=00C68A3E82438F0229901F290EB048626057E644CA0055D5BF16B12C5D41AEFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.246{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBF6-6124-5C09-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.246{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.246{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.246{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.246{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.246{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BBF6-6124-5C09-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.246{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBF6-6124-5C09-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.247{80A11F3A-BBF6-6124-5C09-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:26.030{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12AFC5F80E04777FD33D07A83278783,SHA256=18E81A3D0C24831E638EEA80917ABD4E6F617D4726121DA54A3B4087CC4AF224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:27.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9DF32141A2D30064952CC478921F1C,SHA256=C9EE3335E5A21FFB436D6CB403CEC2DAE7930A90AFFD0FD87A6225ECDBE7D11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.997{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.949{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBF7-6124-5E09-00000000F001}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.949{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.949{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.949{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.949{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.949{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BBF7-6124-5E09-00000000F001}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.949{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBF7-6124-5E09-00000000F001}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.950{80A11F3A-BBF7-6124-5E09-00000000F001}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.865{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA344957F46C503EF245AF9C9A83565,SHA256=7D097C861CEAE81405509F00D161749CE7D6F8EAD996DF20DC0BD97A22FE7CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.046{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4707DB8D4230DFAA5899F3553E7158E8,SHA256=005697DD2C325A742BCDC3B93AE10B2D2D3CBB203E0477A4DD87AA7BF8762FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.014{80A11F3A-BBF6-6124-5D09-00000000F001}21323736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:28.290{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4209A3E05FD13CEBEF2A8123E756282D,SHA256=4318E6CEE12123CDA173395B79FD57290D5517E0C1AC218F8D82328DE4390E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.964{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73E91C29B98EB75659848BEDC4CB01AE,SHA256=BDB6C2F260450AB83C7C2F5AEBF1E5C6B585DED4718664BED4041640DE656E2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.833{80A11F3A-BBF8-6124-5F09-00000000F001}48284196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.633{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBF8-6124-5F09-00000000F001}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.633{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.633{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.633{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.633{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.633{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BBF8-6124-5F09-00000000F001}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.633{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBF8-6124-5F09-00000000F001}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.634{80A11F3A-BBF8-6124-5F09-00000000F001}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.134{80A11F3A-BBF7-6124-5E09-00000000F001}70881136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:28.081{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB7D72422BB12DED493377601A8FD0A,SHA256=55E3A536FC7A52E750A7D1AC3AB89D61B66C377953C38ABC5A5DE3A150F1B6F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:27.862{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:29.337{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCBA0127C68EC8E53F596D6474E9EFF,SHA256=79670FA5693A08C272B54AE4C04D21987975B1C44BAFFBE7DA927C38DBB90482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.998{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.997{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.997{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.997{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.996{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BBF9-6124-6109-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.996{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBF9-6124-6109-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.995{80A11F3A-BBF9-6124-6109-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.479{80A11F3A-BBF9-6124-6009-00000000F001}49845944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.317{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBF9-6124-6009-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.317{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.317{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.317{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.317{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.317{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BBF9-6124-6009-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.317{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BBF9-6124-6009-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.318{80A11F3A-BBF9-6124-6009-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:29.101{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD3D7A1DFEAC487665C634F588B5111,SHA256=DB655809EEEE068CAC22718DE57594EEA40DEF073225765B3B03F8FACC82B827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:30.415{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154D3D0990201C04300D6D11F4DB90FB,SHA256=878ACE907B5C03492BEC4FFD67C1761825CE7B138BC72A4C7632A72BD9CEDCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:30.378{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E34898B33007EF39A67DA80B4041F9,SHA256=414B70ABB70A0F34829F8D4EEAB330D6BAE8D5FBCE6AF2B6509ED46D6BF3B1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:30.115{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3EAC9BB606FF44C6F3DB57CEAA8BAA,SHA256=24BB07A7538B990FD999218AC7983D4D999BFD422202B6CDBA8E4FCF85EEB3FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:30.000{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BBF9-6124-6109-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:31.665{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76320F658837EEA88486FCEA6D271B2D,SHA256=B00BC4098C3E655BBF4CD593AA0FD4F47DE416A45E01586B84A6CB4B1856DA2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:27.112{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52370-false10.0.1.12-8000- 23542300x800000000000000047971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:31.115{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22DC6F2825ACF8348B9E66B9FC7F6C2,SHA256=8823A813BEE7C85168F2FCAB21BB3C0064CB7EF2384F77DE7A8D91D0D30D12E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:32.900{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:32.884{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02648A787FA1D330D4E67D644522BCB0,SHA256=72466D74281C0FA4AD00579047193862BA8ABA7D65AFE7F82A504327F95F13DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:32.130{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951D340F34DE646ED343DF09EF3DA3FD,SHA256=5F2814B6B348CB51D342DCECF196465521169C5278DCCFE4E70EF9A564460BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:33.145{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D7DDCFAC8AB21F49A43463E3DE0618,SHA256=CE5E95E81B6F503241E412D93CA1EBEA7B4E6853360BDFBC78CA96E61891EE73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:32.503{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:34.118{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8049FB5EC75A7A8D3B97E16B7712BF96,SHA256=5AA81226E1079ABEAD93BA530E7C0A95AC915DCE9A7A99421572E6723013830A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:34.160{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF044DDE6B5BD3B658111A5A39A16985,SHA256=72D1128875CB8FEE360B223643D58016BD25BF539EF37E3B0890C60D2B6EF1BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:33.799{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:35.259{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4432206BFF68159E1602DE53DFBEDD69,SHA256=955086515D2935745241B81311C2FB1434A6245A871736081C27A2CC1F1800B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:35.174{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDC05392F85F1A1C6FE4FF5DAB432F9,SHA256=9D3C17CC232122A3552BB462DB1D276CBB4D854090AC11E09EBF972061F726A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:36.337{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7675DFF5F84C6475B8A27E967D55B662,SHA256=8AACC26F261AE22DAEF7DA1367886189D4E8970E632C1A46DC371BC915962D47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:33.145{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52371-false10.0.1.12-8000- 23542300x800000000000000047977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:36.179{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478F98A8A363B084183276032DD96037,SHA256=C3CD9B8EA8515DBAE310D1582212EA41166D0EAEBD64EAE3C2BCE70CB12C8771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:37.337{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1D2560A18BC3436E2575CCD52AF485,SHA256=711B5CB5583499A7E08E7070CBCF3F3DFA8A5062DD93A1C5504F9663A8BFCC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:37.197{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1BF8C7D4A0E44AF1AD920DDF76BEAA,SHA256=5304EB5434436F2031AD6E8794B5A73B6265C726A4A818DE72EA16DC46C9834F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:38.544{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-108MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:38.338{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B95AD32D1C9E04769AB534B005851F,SHA256=E18CF3218EB88E6EE4573ECA70965CB4C87BA6A8106B4D390315ACC01B94DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:38.746{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18078329AF7E9E90D62520E4EA60EF9E,SHA256=08E91EEF197CA1EA6A928CA5150210D0A9D467071F51C7B675C4B6BFBDD50ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:38.746{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA8870F9C84C0CDB3E4702DFB25A032,SHA256=3A7FAF035A4033F5558ECDEA52DB7CE914FC1CD84C6B5BEC0342BFE7135397D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:38.215{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB23740554EEB8ABDBE78E449348402D,SHA256=1F7150D853AEE41E4ABBFDD480C2D2430216EAF4077199D2D122CF3B2072E5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:39.558{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:39.354{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD9494BF22CB36A0AB271C8C3EBB67E,SHA256=764564F7C3C762A4182DA51C52BE437EA3201B4E0BB636C6A07268BA3C7268A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:35.648{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52372-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:35.648{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52372-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:39.230{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC8B2E00D1F2A555E851A788A2BABF2,SHA256=024A7B7CD088FDDD3F22308752A3BA0AE1384461EBF261A208F46BCA715D00E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:38.847{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:40.354{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96DE7B0AB545C5324B1EBF9ED0F11B5,SHA256=1B1239D0B4E109E8E9AFF55F9A49C3DEAED2F09904D245561A26FDE978C74953,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:37.024{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52373-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000047989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:37.015{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51695- 354300x800000000000000047988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:37.013{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54746- 354300x800000000000000047987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:37.012{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54746-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domain 23542300x800000000000000047986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:40.245{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBEE94B6FF8416B61B0F90FB538EEBD,SHA256=0DFE40A5981CCFE07E9095F8DDE90549D747FAF83E0F6103B3B1E5D7DA28F10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:41.354{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E051F20FECD45C692575F7601B921089,SHA256=90FA95E4B17ACA92F7E772D711FA92717B0D5566CB4DF75D7F1B45DA66672943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:41.246{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C26F82A2734BB9CBDDE9F1AE2AB1842,SHA256=AFB0301BDEF26EA5F6DD3686753C6A03D3F6FF31E89F1299A63CA663181CB5B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:41.230{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:41.230{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:41.230{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6d8e72.TMPMD5=DE2C2DC7AC7CA60981DEDF95D7D42EF8,SHA256=FCA4BAB71BCBD425757363A708F77D849276031ABC30B3CE7F82EDD60A2457E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:42.354{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4A368119062AC2B2DB2A82AE745D39,SHA256=88B315F83FC22BA5BA41DD030C6D8DAD5090E9ED9F3B4DBEB24791DBC629C135,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:39.148{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52374-false10.0.1.12-8000- 23542300x800000000000000047995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:42.249{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C03C13B35F5B383BCF867F2580852BB,SHA256=188EEB11FACFFB996783B27DE3990CCE80CF3EFAD04ECD1C6F2E0EA25E0E6543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:43.354{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11EC76668716848AF0584CF141260CC,SHA256=E37912C4AD6E13D8E0F6AF089663DA80FD09CAAB7CA431396F2B5FC4440D32CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:43.281{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76ACD261592E7F0DA606032E28BA6492,SHA256=CA2AA9B92FBBB602D9B5B3BBAC8CA3163A7328CF2D211BBF3BA942E2A91724C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:44.370{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78F84DF37163463496D6203605290CF,SHA256=21BC0312DBB90A74E429D37E9B9993E533C9E7124F7CB3C921C8BE00F0B0D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:44.296{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD80E029C6C3DF3FC32F6F030EDD72B3,SHA256=E5FA5E234C6FEC1DF0407F3ED6479D9E22049C62A2B8358B91D80494EE48468F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:45.370{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1A73C28F12D43BCCCD793A5870A5A7,SHA256=539404A6856DD4CD4F84C959D6DDBD86C54295FE7C8865B37C013E0007C8D680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:45.315{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F95EDE948A489D4754982D12D86835B,SHA256=FD73963A4EB42A7510B06E6575C077C676C50C13E204349940DE027C2796B7AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:44.707{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:46.370{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0004D876FF5FA6022534C0E3F305CE67,SHA256=96298CCE1E12622B62BBAA8B269CD261FE20EAB2FBE2A586E6EC6F64D06BA065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:46.346{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9083B6EE17732553DE99349B49788B,SHA256=BD259F595118DA1AC9EF7DE3AC78C63A3FE0696E3A719EC7F35A0B482D2B0CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:47.376{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95DA5FE8F1602F79459617144A64716,SHA256=8BF3EECCBBCC09A87791439DACB13C9913C70966828890FE07543A09F0BEBDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:47.417{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF61D959244C941BF0791C3E4A1A7126,SHA256=A1D1B71B5BDA933F63CB19092AF9B6E5EEF3F06831FA977EB1D5C1EB5FDEC835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027224Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:48.417{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2C874F92703B654040079E77295AEE,SHA256=659050A91FEB5A0C9E8EC3E53175C090F60765F1FED92527C2605E90BE05575F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:45.063{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52375-false10.0.1.12-8000- 23542300x800000000000000048002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:48.394{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F22FF9353BE4150FEB042320D5D9FF,SHA256=D696FCE03BFC1C1E7DB67F0088CF4F0A0912D8EC3E3B334D22940A1F893EFE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027225Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:49.636{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824C7A330C65DECDC60DEB7A5F9F3973,SHA256=398B8EAB0CA3B1CE43643DF23180D9A8B7161DB983CEB0132D32AD9DE33E21BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:49.416{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164E7783B84CF8F0039FC89F3D9DE143,SHA256=6B93FD2D2E146AE38932EE8775B2BA56E5FCEC1DB35D0372BF0034BFD5FCD664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027227Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:50.842{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=726B84C9D2972796CF51EA4A093BF601,SHA256=2A193F45B19D487E3064690D08DBBE0D7184225F482BD7C5A84A2E5CB189149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027226Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:50.686{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AFEA1D35BC3F42B4A7C9C52CEFDC56,SHA256=44C3B24BA17CD66B682A980E733ECC5AC30F89124C500B1A4A02E54C75D6A3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:50.430{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11EEBB3E5E6024FCEAA80F9183932BF,SHA256=268AD4033FEF71632E58C1688FF61A4B462B00FB81C7EA1644C4798663FDDAA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027229Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:49.805{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027228Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:51.920{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87CAAF2793AA8E730EFD59D81237798,SHA256=B828C062C15D9D03AE5213D522CBE7FF39179A8566E17B69F1442FD8F31D524E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:51.433{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EBC74824248B04A4F7A31A47560178,SHA256=EBBC7FBE94E15C9BC331E653B77E093FC87F5F9601700C791E4D7D181F727A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:51.299{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:51.297{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=43009D1592916714AC771E4D5045F2E7,SHA256=DAFED0F32F868C4452CEBBE796D778BCA0CFF7C855E6C88A22460DDA9273C3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:51.234{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:49.151{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52376-false10.0.1.12-8089- 23542300x800000000000000048010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:52.448{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0CDEBD0168D7C0F9B9D2AB98B1F6F7,SHA256=AA625091FB1163A961BE606506DA5ABD8223DFE1EFF3992FDAD16740CE425E9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027233Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:53.264{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027232Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:53.264{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027231Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:53.264{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027230Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:53.155{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73C1ACDCBA2F333D0404645993F4A14,SHA256=F93C62425CFE50532FF544A4DCCC307B1818BA4384A59707F20EE03344470A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:53.463{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE6F11AD2701C38EC527DF2ADC8C61D,SHA256=B81FCB38D4F763266A03939065F6218964AD5ED852DF427BF38D8BF07E549AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:54.389{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEF268943C51DDD8CFD606E7A7B6225,SHA256=FE8E81ABC5903CAE4BFB9E3965D2EFAB44637971FB96A9AA048B47C82A81AB8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:51.012{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52377-false10.0.1.12-8000- 23542300x800000000000000048013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:54.496{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11395184AC8880E68A3AEC15588BB751,SHA256=1C40F1D7C395FE33A14BE5058ACDC3E5FAEAD5EB2D5CD95D2AB8017790D978E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:55.576{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8294ADE02A3044E1002D68E086CAFA6C,SHA256=5D21FBB9CB2C69CCDBAF0CE0628DCE6D4BBE519FBD0320CB590D41871CA2F23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:55.515{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2615A872A974557CF92A7FB759D056A0,SHA256=BB58E2B4147825A8F0189E900D28B6003C998A40D804E3BF828AF414694EB42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:56.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E34709DEBBAF1D0E39366D396F48B96,SHA256=12ACEDB34F959C398119CEFB9A9DD3A095EC4857DFE2B98A0344EF302B750D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:56.530{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AAB5C13CDF3A8FD7DA286C9D511731,SHA256=B4FFF5F0A7C903002099CBFBBD75AB5E04D6E809D221E297A9025CA29C4DAEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:57.701{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997B9924A83375E68AE972CFEF44FA89,SHA256=7D66F4E5B7540C2D6F532151641284CF466A39F56B7D0034A0FBF8F6A57BB543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:57.576{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6F44E2F3F32354E17A66F9DAFBE8A1,SHA256=437095CFC32641143CF963199EEC8D1DC833AC1CE3EB7F58703A40A71CC1EF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:58.811{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E65D7C1D3A6FBB1A54DA7233AE732,SHA256=5EF72028688A6CBAF34A68009BEA28689C401127EDA91346058DAB9ED151CB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:58.596{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE49D8399F7C4A2CA9CD9041B8F89BD,SHA256=0D7B59CD414DC02746CE53DA288BF9277023E683C704746335D1A1D91DB6948A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:59.598{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1628F9D9D0E7B932F1F3E6CE8D03FBB5,SHA256=012218063398F174A349A9442052A5BAB1978510D685836808D464721575CA1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:29:55.711{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:00.629{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B21131DC87DB47B9ADA0567AD540CDA,SHA256=D4FE4DED73142185204E493B90873DB7A039DDB8E325194F75F4B8625BF75E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:00.014{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8B6BF841D2CBC31278AD8EF26933A6,SHA256=8358BF7BEB779ADF5973C1F77A226715AD43735D27D5C39EEDDE0A567E59A45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:01.659{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E81EF3F6775A7B8A77A149FA6F3624,SHA256=C9D08F052D9707C202C90E1FE3C2808177FF3D72AD60195D2E8FCD4B0ED19D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:01.123{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD19015C3464E05BB71A6A0BAB4F8BD,SHA256=1B0E21A1043E0BB6F8C3FBE5B942484546FA6959D72A3E6E5D562BEF24A1581B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:29:56.979{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52378-false10.0.1.12-8000- 23542300x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:02.358{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA93EC0752AE194B464DBB72C66F709F,SHA256=339FEC1D61EC2443DA9AB0623504171E058B5372ED337571ECBA2C0BF9A0CAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:02.661{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E84428A037B6C54DA476BB317CBCAF,SHA256=80D239FCCC4C4B3877560A2BD33DA819CDAFA3CFB1BE193D7EB4F6760E5AD414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:03.662{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ECE96AB3CCDA683775D5F6676D3AAA,SHA256=A3EFA7DA8E5C609125B6D3CD5630CAD6655DD4E0D42C193A9A9139214795B57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:03.373{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AB2C3D48778E8E416A04E0A423487B,SHA256=FF94A0AF2C75EF7A958036B3303DD7C6043BC04413A9F4D59F7C1A748564A733,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0066cee8) 13241300x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c2-0x3c3e06cd) 13241300x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798ca-0x9e026ecd) 13241300x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0xffc6d6cd) 13241300x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0066cee8) 13241300x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c2-0x3c3e06cd) 13241300x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798ca-0x9e026ecd) 13241300x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:30:03.280{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0xffc6d6cd) 23542300x800000000000000048025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:04.678{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEC844AB6EB02E7A5CE5D63F79A9C8F,SHA256=7CF51D6D24B6ECAA5572564A2A3270FAE2780C842C0C406BB0F867965DF8622C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:04.389{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113CF1F30B8BB42FAE13B1120D8E8729,SHA256=8ABF5E73F7E434B72637CF961EFC811A01F02F65B5DC847D3ADE38B3FDD4318E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:00.742{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:05.831{80A11F3A-9FFB-6124-0B00-00000000F001}632848C:\Windows\system32\lsass.exe{80A11F3A-9FF8-6124-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000048026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:05.695{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87952B924CBB60DE73645F9DE1B75A47,SHA256=4A15E977D517653DFE9C54980BA773155A7A8309616593F213795E477B3F63CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:05.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F3C23CBE103582EF22F1F7DCC1DA32,SHA256=8C411FC6844DAF7EAB25CA78ABAD70B6B2E291EC8C8441BF9857463FB3FF9784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:06.845{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715DF0A9FC3E69C70FF63F6AEB7CFCA0,SHA256=A6908B08D0301821C2EEA6351FEDA205E71543AFA2ABD4F9C82C8CC09758D262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:06.845{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18078329AF7E9E90D62520E4EA60EF9E,SHA256=08E91EEF197CA1EA6A928CA5150210D0A9D467071F51C7B675C4B6BFBDD50ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:06.714{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948E00E9E43A9A2D8BEEE1A35279CA69,SHA256=6FBF71403FDF3D513329C48A718A866DE86A531F63EEBF86D0378F9212CF911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:06.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C166E4AD9DEBDF7FE9177CF7BC17D09,SHA256=0E0738770FE5CC8BD9EC7E13FE1002E7DE95A10F959F5128F7DB2EBB055CBECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:02.096{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52379-false10.0.1.12-8000- 13241300x800000000000000048048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000048047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000048046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\AddressTypeDWORD (0x00000000) 13241300x800000000000000048045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseTerminatesTimeDWORD (0x6124ca2f) 13241300x800000000000000048044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\T2DWORD (0x6124c86d) 13241300x800000000000000048043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\T1DWORD (0x6124c327) 13241300x800000000000000048042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseObtainedTimeDWORD (0x6124bc1f) 13241300x800000000000000048041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\LeaseDWORD (0x00000e10) 13241300x800000000000000048040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpServer10.0.1.1 13241300x800000000000000048039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpSubnetMask255.255.255.0 13241300x800000000000000048038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpIPAddress10.0.1.14 13241300x800000000000000048037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:07.976{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce6260df-2df8-47dd-8b50-914e348894ac}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000048036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.729{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE912D19C8DEFD5591446674FC03F380,SHA256=56D6780851B3A68B24D649F13CD085F67D2E2F378CC55A0FA3A95D6FBCE8A800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC1F-6124-CB06-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BC1F-6124-CB06-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC1F-6124-CB06-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.858{D371C250-BC1F-6124-CB06-00000000F101}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:07.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4A8F9DD589A76A4076053CACE9806C,SHA256=31B359E13BF0104D1CC58AE1D9889DF0F0776819A40830988C97AAC2BAAA2683,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.577{80A11F3A-9FFD-6124-1600-00000000F001}12964108C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.577{80A11F3A-9FFD-6124-1600-00000000F001}12964108C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:03.765{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52380-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000048032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:03.765{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52380-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x800000000000000048050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:08.744{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFB1967D055E8DE736FEE70454A2C20,SHA256=FA3BA1963DF67B4C631976C19AC74888D08AC760098E99C58D99086CB73A6115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.858{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A599F4D11C5F2E773ECCA34BEEB1773,SHA256=7B0B25B5485AA7262A0972759DD8F840087F22FB02774CDAAF4B0CC0935617BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.858{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B831C737A3049C8A2D46BB37A003890F,SHA256=5989EE30931D3102D94197BE90A1F7874795CD9D6CFC29375E66DE96947F4C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC20-6124-CC06-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BC20-6124-CC06-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.530{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC20-6124-CC06-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.531{D371C250-BC20-6124-CC06-00000000F101}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:08.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0FB28DD1B9D4A9267E2B2526462B84,SHA256=69418D8D7C0CFD2E3016258B6F3B19324C821FEF0966939E120BEBEBF3BDE015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:08.360{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5B40FE660AAFE8AAF6015603FBE81BF6,SHA256=94DFADECDB891BF0D66EA01B48853CFC4564119C5428CFFEEE62D5FC01B2C715,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:05.836{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:09.774{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DD874C10D346BDBA5D6C81A0B81B36,SHA256=E74E99DC2BACD3A7E147F4202C6CA29F8A24E0DC93D7FEE585FB6C1C51FB6BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.514{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C8B66A2F90C8F02E304E46DBAAB9C7,SHA256=845EDB5551DA8CCE51BF75918728C573BB6436D685AB5240AA01BD924AEBF93E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:05.909{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 10341000x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.342{D371C250-BC21-6124-CD06-00000000F101}31003148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC21-6124-CD06-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BC21-6124-CD06-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.201{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC21-6124-CD06-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:09.202{D371C250-BC21-6124-CD06-00000000F101}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:10.776{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B971C302BFCA5380EAC590884DFE4674,SHA256=CB96309805C65FAA44FDCF07CEC57A3E4B9AB16E89E3903124F45BA730D9F334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.628{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6D4D9609F8B77769549B50786B97E6,SHA256=A258AE33E4294C060FDACE583B82800FDCD8F7BDE5D5CCFE70055869DADA5D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:06.025{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-391.attackrange.local59465-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000048069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:06.025{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62973- 354300x800000000000000048068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:05.917{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:2889:5424:c8c0:5c75:9c6:ffff-58883-truee000:fc:80be:da7d:81be:db7d:82be:dc7d-5355llmnr 354300x800000000000000048067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:05.917{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58883-trueff02:0:0:0:0:0:1:3-5355llmnr 13241300x800000000000000048066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000048065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000048064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000048063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\FlagsDWORD (0x00000002) 13241300x800000000000000048062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\TtlDWORD (0x000004b0) 13241300x800000000000000048061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\SentPriUpdateToIpBinary Data 13241300x800000000000000048060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\SentUpdateToIpBinary Data 13241300x800000000000000048059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\DnsServersBinary Data 13241300x800000000000000048058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\HostAddrsBinary Data 13241300x800000000000000048057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\PrimaryDomainNameattackrange.local 13241300x800000000000000048056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\AdapterDomainName(Empty) 13241300x800000000000000048055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.027{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\Hostnamewin-dc-391 10341000x800000000000000048054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:10.012{80A11F3A-9FFB-6124-0B00-00000000F001}632848C:\Windows\system32\lsass.exe{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000048053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:10.012{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{CE6260DF-2DF8-47DD-8B50-914E348894AC}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.206{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A599F4D11C5F2E773ECCA34BEEB1773,SHA256=7B0B25B5485AA7262A0972759DD8F840087F22FB02774CDAAF4B0CC0935617BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.160{D371C250-BC22-6124-CE06-00000000F101}3944416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC22-6124-CE06-00000000F101}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BC22-6124-CE06-00000000F101}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC22-6124-CE06-00000000F101}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:10.035{D371C250-BC22-6124-CE06-00000000F101}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:11.780{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DAA124DFDC98322DF5B7EA7A47D76B,SHA256=344ABC181BCF6D4E816AB95AED1FF27CA7FC495E124DCEB4ED571ECE7C558419,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.956{D371C250-BC23-6124-D006-00000000F101}25481712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC23-6124-D006-00000000F101}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BC23-6124-D006-00000000F101}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.785{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC23-6124-D006-00000000F101}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.786{D371C250-BC23-6124-D006-00000000F101}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.675{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FAD388C5670A9CCF90B1553A574851,SHA256=0010C107E0CA800A866E176468E1D3AF10D0668D8141CC01A28ABD311B4AEF0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:08.027{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61644-false10.0.1.12-8000- 354300x800000000000000048088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.968{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local51695- 354300x800000000000000048087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.968{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53513-false10.0.1.14win-dc-391.attackrange.local53domain 354300x800000000000000048086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.968{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local53513- 354300x800000000000000048085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.967{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:2889:5424:c8c0:5c75:9c6:ffff-53513-truea00:10e:f57:9b4a:8d69:199f:dba5:723b-53domain 354300x800000000000000048084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.967{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local59318- 354300x800000000000000048083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.967{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60555- 354300x800000000000000048082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.966{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60555-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domain 354300x800000000000000048081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.966{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52781- 354300x800000000000000048080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.961{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61643-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.961{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61643-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.960{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local63776- 354300x800000000000000048077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.958{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local61642-false10.0.1.14win-dc-391.attackrange.local53domain 354300x800000000000000048076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.958{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-391.attackrange.local61642-false10.0.1.14win-dc-391.attackrange.local53domain 354300x800000000000000048075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.956{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local52224- 354300x800000000000000048074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.956{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local52224-false10.0.1.14win-dc-391.attackrange.local53domain 354300x800000000000000048073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:07.956{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58602- 23542300x800000000000000048072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:11.018{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=715DF0A9FC3E69C70FF63F6AEB7CFCA0,SHA256=A6908B08D0301821C2EEA6351FEDA205E71543AFA2ABD4F9C82C8CC09758D262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.316{D371C250-BC23-6124-CF06-00000000F101}2576840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC23-6124-CF06-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BC23-6124-CF06-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.175{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC23-6124-CF06-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.176{D371C250-BC23-6124-CF06-00000000F101}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.769{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8EBF64F578902DA88831379416514D,SHA256=71E16247A52E001DA22BE7CF7A6F1F5D389E7F8D45FE44927F890DC6DF942569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:12.798{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEDE53F3A8C6623BFAFE88D0074FF2C,SHA256=98F948851EDFCBF695B67621AD74935CC1930C03D40F46D18F17C34A95B819BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC24-6124-D106-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BC24-6124-D106-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC24-6124-D106-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.410{D371C250-BC24-6124-D106-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:12.191{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21BF8FD57C62730F5CC6B99C559083CB,SHA256=B906374517FF546A98BC2FBA00AE5EDBBF77423453556097016AF62DA8F0FFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:13.816{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78FEBC0BFF332B69D669368525C1D0E,SHA256=09744312A5329A400B198321495729C22C6D585C960281F3CEA7A6900F88CE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:13.816{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAA820026EFFEA84DAD30AADF7DD938,SHA256=7AA68F0120D23EA9B682476F14F29DB1A06A8AFFAFC1E44076E8EDF9ED44F7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:13.456{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5578238E236B8406117F1EA91DB81F44,SHA256=4781FF6C68211504D2A9249412CF0E9739C93B140759A6425437343A773C7647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:14.846{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A9E1DAF54257084975C7DC634E9BB9,SHA256=FD885AFAFDD57690AF93C9C5727335A284425527EB5EB57EB8559EDBF679D0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:11.826{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:15.876{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566C85884ACE2D9A863D66E2D7B739FB,SHA256=2E367E4CEF8A6D88BDBFF1CCF8893576DEC892742A52880DED911AB7FD5053DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:15.035{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBADE6D73021DB8F91B8EAC5DF41C8D7,SHA256=A5181142231935F15E2D73D7EB938F8B8BEE2A75FD252B4DAE872F5CB1F88937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:16.914{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D2351A2E6383571CEC3A617B713800,SHA256=FFAC64A4588A6810AED262E712F8EB55E12591A7BF1CAF42CE9D8B912F36CF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:16.191{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F176912BF88555C682B282FEEB2BB22,SHA256=A632A3F7201F030695EE54C96F9067C11943857D714155AE93FAFD21018CED59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:17.944{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C08B19F03E806062C32EDECB91BF109,SHA256=0F32D98B9DB0A1F6C141F900C4D334E05D6DF30E867D3D71492A1C45A46B19C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:17.238{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DE79BE72258B3DF914A7B1E2D4BD82,SHA256=B1461728DB2E6C4AD77C96DDC82357E62A5C4C591B6BDE413EFCA62762DA822E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:17.675{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BB29CE2E78B61EC1965E6CEC75564B4,SHA256=7B0C32546C95259612A009EAAA556EE7C8E95F67362034E493F43E9B460258A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:17.675{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=508B2BDE34C43B2E7092137736D64F75,SHA256=B8973B1FDB15A1AB3DD5793C8F2EAFEF81C1BB78AF4F71F616F95B4695BA7FEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:13.064{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61645-false10.0.1.12-8000- 23542300x800000000000000048100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:18.975{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196C047EEC6499AECFDCE6B721BF818C,SHA256=6CF3E38E765191B9CE14608699751FD813698ABFB085CE8082313C74C6B06E4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:16.857{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:18.238{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B9B7CBB1406A552DC95F544BBCEC94,SHA256=A7684445398CF3F5BC44A34277087F0F0311758DE2508FFF80EEF10B55414021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:19.992{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974B1F178AFAE8B8658F02A69BB3A91E,SHA256=4163140EE3099A79ACCE09A69BD04CED79A5822DE5239E1D628B98892A9690D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:19.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C20C524A9074F05EF8EA69FEC595D2,SHA256=4B2AEBE2F4E6527006A2A8928B84CC30E083E21DF5FF41A9CE8981D5F5CDE119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:20.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284A83AA5281D7A0FB30F19D8D00B261,SHA256=D38A4F6487B77F5394D9A63F9717C66AC248A5CCDE3E190BCDB9D90C3B0635B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:21.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE0603232C84593BC7BF5230963D5E8,SHA256=85687DA75DE8E7A811006CF5B0C8A20C1E1140CE0BA87DE7443279C929FBCCEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:18.145{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61646-false10.0.1.12-8000- 23542300x800000000000000048102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:21.011{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7465A6CCD2E60F699E075ABC638685EC,SHA256=B8FD40640C88AC59AA22441C45E24B9D93BBC5E5CE0B72575912EA88A9C9517D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:22.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A90570DF6D72AFE85A601594B6BA67F,SHA256=0E98B3A52F415A8FCF8E98A597F962A1DC6B67D45CCBB8290F95574148068B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:22.041{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E4843EC076BF919A3B7DFF6626E2CB,SHA256=415C78513ACCB130B2177E0CFD26FC187A42484F72A86DC6664614763587B6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:23.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8177D578CB70BEBA861C85007DF481A8,SHA256=891404B56BA09F994C109991F3F4B5B2E338FC990B0B5DAA032E3160ADE229B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:23.873{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-116MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:23.071{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105ED2227EA0D491AC756E87B1169B66,SHA256=DD294E395E5CE1D9A69F61B559307D1285F8DD788791ED33C076E9F8C5759A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:24.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294293942F28EC5C6E74FE634A47408E,SHA256=EF8BF955DA5EB3C47F69452D4DD0F3E323A203D24170201F4CE30B6D0A490186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:24.887{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-117MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:24.108{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3E4A66D231D5B5B558A471F4763BB0,SHA256=D070AED39D5A2C15E1C7042039AE3AC455C32C3CC89D52FA426A0ED8A717995F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:25.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805B28CDFD14AB51662ACC718597C9E9,SHA256=FE4CD20BE555825D6FE733BE0DEB800FE5589B3DC6402CE6C12AB4616A294ABC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.691{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC31-6124-6209-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.689{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.689{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.689{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.688{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.688{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC31-6124-6209-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.688{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC31-6124-6209-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.686{80A11F3A-BC31-6124-6209-00000000F001}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:25.138{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D040E0A62D9857484E00053582BCF22,SHA256=F4DCA9FA2F587EE545FCC5E03545162D53B8AC1684CD51F6739A3444933FD62D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:22.638{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:26.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB92A6A9A615EF8C477DF5F1B7AEFF0,SHA256=7772B223B3C8CC6AA3F9A8AB5D8D97BB3C110BE9B8B17F5C353B1CAFF5E47170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.953{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC32-6124-6409-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.953{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.953{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.953{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.953{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.953{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BC32-6124-6409-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.953{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC32-6124-6409-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.954{80A11F3A-BC32-6124-6409-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.707{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3ED54407DF0FF298676A150F54AF0F,SHA256=4195278E93EB7EE9AED52BAB2803AA1AB407E40FC53D4441598390B6D7B2BC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.707{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BB29CE2E78B61EC1965E6CEC75564B4,SHA256=7B0C32546C95259612A009EAAA556EE7C8E95F67362034E493F43E9B460258A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.354{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC32-6124-6309-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.354{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.354{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.354{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.354{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.354{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BC32-6124-6309-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.354{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC32-6124-6309-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.355{80A11F3A-BC32-6124-6309-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:26.138{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AD32AFCAA58BF2F1B24C37DE0164FD,SHA256=D8ABADF25043CD814B536183551985059B6D56079B42B7CE57C3B6C935F9F96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:27.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96317894626CFBF2FBCA442FB88D6DED,SHA256=7A8C190EF6CE4967E07E84EB7F907C30DD239179FCE3EE072CAC4BCBCC13C6CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.991{80A11F3A-BC33-6124-6509-00000000F001}45884656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.957{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3ED54407DF0FF298676A150F54AF0F,SHA256=4195278E93EB7EE9AED52BAB2803AA1AB407E40FC53D4441598390B6D7B2BC39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.789{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC33-6124-6509-00000000F001}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.787{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.787{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.787{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.787{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC33-6124-6509-00000000F001}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.786{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC33-6124-6509-00000000F001}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.786{80A11F3A-BC33-6124-6509-00000000F001}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.169{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E98F5076C65CC00A1307E5AA093E590,SHA256=BD68E9F455A11C7C4D1ED4E61A5BB315AC9F1735D426EC5BD153D20C68B148FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:27.169{80A11F3A-BC32-6124-6409-00000000F001}15844808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:28.597{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101CED8DE2703D29BB48641FFCB11BA4,SHA256=2E1ED39597ABD7D9338DCCBC3B085D32A9BDAB8EF86266CC607E729FFC924D54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:24.005{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61647-false10.0.1.12-8000- 10341000x800000000000000048158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.594{80A11F3A-BC34-6124-6609-00000000F001}23322084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.410{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC34-6124-6609-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.410{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.410{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.410{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.410{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC34-6124-6609-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.410{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.410{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC34-6124-6609-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.412{80A11F3A-BC34-6124-6609-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:28.173{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83A84E5497CBA948741F89DB913F60B,SHA256=CACF4E10E8A1A0E32B9FE254C0AF7653E4D267293F2D3556CC5D782BDA773AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:29.785{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D6E6E4FB82C3C4AB177D7A8C667A94,SHA256=0C1B908216E31BE7F429920A102787D94926C97E39804CBF0BE8DFBFE548F132,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.757{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC35-6124-6809-00000000F001}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.757{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.757{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.757{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.757{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.757{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC35-6124-6809-00000000F001}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.757{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC35-6124-6809-00000000F001}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.758{80A11F3A-BC35-6124-6809-00000000F001}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.411{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5408B404D961E738A13FC12C44F96862,SHA256=56A85A400469D0D2F7C59BFC4513745C1A21686721AB9ABB2BB4606833B190B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.295{80A11F3A-BC35-6124-6709-00000000F001}46405304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.195{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799778884EADFB4E9CCFD79ADDA3F351,SHA256=994B5FB39E1489D248F32F023A0C8EBDE8E48F8406339E3EF77A05C661D27B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.094{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC35-6124-6709-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.092{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.092{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.091{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.091{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.091{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC35-6124-6709-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.091{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC35-6124-6709-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.090{80A11F3A-BC35-6124-6709-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:30.847{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0907D7E38AC96491993B07B9DA53047B,SHA256=7DC6653516308B897F6C785B3C8C7D4F009A69ACBEE0C5410A393C68C9C0A5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:30.773{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B22EF71D286FA11398D5465C73A378D,SHA256=64E3AC03308EA154C2B05FCDF760537A157FBE617C35C0A42DE6B02229124B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:30.211{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77763405B5E659FF0B0DCDE39BE2CC23,SHA256=71A65D63F11E3170FC96AFB89FA3D8E4B430447904083395E57060DA0BBF4841,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:27.717{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:31.847{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4539BCBBC9E273C0EA5B8824F35CB99F,SHA256=6F06F6E9B4DC84F636B395847D37100E0B61CF234091BAC5C349027B509BA735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:31.226{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046A87D504C1721F450D6494876C43F1,SHA256=DA6262C54CE26BEF1322C39BC7023253958C5C74F0AE340CB1CE5B4BCE98E4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:32.925{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:32.847{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044E0BB716D406EBE4EA8C42371A8734,SHA256=C891852C9F9F4A457B4575B69790E76A953EF3FEE44C0395BEE2E3299AA6B1D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:29.122{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61648-false10.0.1.12-8000- 23542300x800000000000000048182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:32.240{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738BC88E96F1C0099669A34C2A9D95B6,SHA256=E69E7948EADFA32CFC4E71BE50EAF96EDEA2039FE42936885508FEE90558BF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:33.909{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1FF96F7B6F70CE6369531374FFD174,SHA256=B2364DFC156BC5622B70995149B3147C24009FBFBF67A901219C8C8CB287D336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:33.271{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F842D26367ECCD38B501D37FEDD3AC3,SHA256=F17E5D49EC3BDA11C371B4BCDE5E1849FFEB001A51981BE2BC24188F63702891,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:32.810{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:32.529{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000048185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:34.271{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE780C435F3B7F39E1CF2F18D5DBA4F,SHA256=B02422D4CCFB99ADBBE33BCD7235B93A5CAEC1CBF47AD68A8079B4AF22A69050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:35.144{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3E6C81DE058A6E366FF8BBC615336D,SHA256=CE8068B53C2AA5A8BB675647FF3EB2918EFF19F0BF4B81569ADCC215F1ABD407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:35.288{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BAD21C7E9573E439E840918AEE2116,SHA256=F3D144F7A3EB4C8E6C1FF62CF1FED45F835C9A6A911A3FF3F1291A00F273FD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:36.144{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38046F7F3C28C418C9D0808B21B1484F,SHA256=D3BE4322849583E77F053480F47A2C08137F7D04A86ED30A38C4D0637990C4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:36.308{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F253E46F0B5DEAFAB2FB2A1D12B33D8C,SHA256=9AD321FEB49A454BD1B7253C97C9BE1E0F9DCD8A9542BCA311E29144F2B1C618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:37.378{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4EB7DBF52EB6DA79CB8EEF3F0EA065,SHA256=7F7770DCBFD416CBDAFF584EE211530F4C0EC90736C37035D78B7275EAC2D1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:37.322{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE0CF4978253E95FD0C88B84F902DE8,SHA256=C972C0E74D2930A381AFA96DBE08F6B1F9456F90F7D068B10AEA1C095D9C5818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:38.409{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFBA9F2E3405BC17012639C0B0804CC,SHA256=47CD27745CEFEE1A15A02E54F98B0742E1BEE01631F1390F9770E6AD02D95CF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:35.656{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61650-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:35.656{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61650-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:35.004{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61649-false10.0.1.12-8000- 23542300x800000000000000048191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:38.737{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F9728A1DFA8A5EEDBEE2D248C3BA1A9,SHA256=66EA9E11D1B54300429F5970354A16FECCF8A1F8B0F59ADF066B756E87BEA841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:38.737{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1B4E0DE1123DD8CDC194F0C03EFAEEB,SHA256=B7907146229D5CD7C7FA45A54A1835E231DE05069A0DE4DEB2F246743EA73982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:38.353{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732C15CAB97942879EBF49600C59D15D,SHA256=AF080FD81B29028673C1A9D542B2FD66467167E1AC2FF48F1F87B696BF684BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:39.409{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C73A9310790B420BC6AEAD49CB7F8D3,SHA256=FCC6ACEB34C12C2DD07CC5EC55D3360D50BBBA104BE490AF74C438698787B847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:39.367{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC53333EC4110EE5BEE6D343B11B0189,SHA256=A3E7A320BA05DFBA19C643F455BD4320F07BBC887B233E4122CE3971F91A256E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:39.021{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:39.021{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:39.021{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:40.654{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C8AED1ACB91079131FFC3933C4E002,SHA256=83B74E2F491E271A72BCAB4EA71A2F096C245F61B0004B88FA7387C3D9A9C4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:40.385{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF137674D8EF493E161CAC98DF692B59,SHA256=82E906FC6A0A5CA82ABFB884AD9457460E65634DF8B01C096C1945DF58538208,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:38.701{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:40.084{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-109MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:41.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1F6B0BA65CEBE23C3F78EE8CA23507,SHA256=2BB0D415758283164DEFAE3CC5EBBE503BF50B29AE1496200A86ECED875F6AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:41.419{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C3158A0EB0AC5FA167B16DCECF5929,SHA256=2CCACED04B488F1148D337B2B455634CFADCDC4B7740244DFAC7096E8C3B8708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:41.093{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:41.219{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\aborted-session-pingMD5=5A604678341D8DC8C0B951617F6CBDB0,SHA256=68D2B246C64A963AB75E2F1C1CCF75F4ACD65E8C1BFDC12916547C814DAD59EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:42.811{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD3A2B1C2A8016D1671562C5C9CE62A,SHA256=A1515D354C3F94875D6391636B79944F88A216B0A239F542C0049515FC6313D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:42.449{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8208D27F6B9D9C8BF8CD0F8B867328,SHA256=683B43562888AF86EF5A6DB2101FEF059319273E46DFD2DB7588710044F7D23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:43.827{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F546B3A3644DEBDF19495A2C0DC41F1C,SHA256=26C0044D5710A5BCFA08D15CF7A8D41A5BE4CD3801E5631F2B17881897D7C385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:43.518{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16585753E5EA899251EFEE2313C53F4D,SHA256=853897026D2869B9D2B7D48D7495E86C2475B5E4EF8F0CF19FA52C6E751EAA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:44.548{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AF5B00B8A1FD0D79AEFFDAB2B3D30C,SHA256=30439184503666D2F0AE9C2496CC84993FD1789A9D2B2E6D7A3BECE1AAFC3994,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:43.775{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:45.061{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE946EB83C6F2E02097AF5D6C3A737B,SHA256=5EE536F23A8E4014B47E1C57ECEAAE2B791E30C00648E45BAC112EE4C3A392CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:45.581{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B923464BA7B0DA101614A4FFEF999B,SHA256=76947A48C922B21B5FBD2B47526FECE3681697372A5951E1D048B1F207EEEEB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:41.036{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61651-false10.0.1.12-8000- 23542300x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:46.296{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA1C2178EE8475E25DFD2DCB9330797,SHA256=AEB5BD2AF2AD394CB048FC02ADB0A71B48600D074EB826FDBBF06C277E477896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:46.600{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46317D7D29B43DD08F7C8D66B09A3328,SHA256=212BB22C2BF0CCBFEAF673A3D2710522BB3932640C6FD410F4C2CB2B9E3FB705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:47.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5A35E7300317B8104068528154BAD2,SHA256=467BD280708547A80A7622F617CA2EC98F239F829378E4815AA6B4EDF97DC9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:47.615{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E22DC0EF9DE0E77400F15EF7C359C4A,SHA256=DA3F0686A51EF13E3B1123BEC1E96480EB1EDD48B2CF31922DBD17912D08267B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:48.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA3F79C7A4061ECCDA87351FE74C81C,SHA256=8AB4C3620F055F72F3F767314D0B976DD3183851A63B0ABD55A2BBD6D2B98109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:48.645{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452EF72B320A56A2958A49BB162649C3,SHA256=1036AEC40ACCADA43D75ABAE28CCF8A04F33F5F69EEB474D8A0392E088810808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:49.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F185674CB914F600D68B7937DF534064,SHA256=48EE082953DE899F4619C022F358B37C5C7670C8B0CC9461C1DDDAFCC92DFF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:49.677{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2BA21DBA5AA19F300F5B0C908ED761,SHA256=16A5841E7A7BF4E70561284B471AE957F392639CED6769CF5E8E23250557EF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:50.844{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=88BC42F1B14731C9671691F65927E1F2,SHA256=40D822EF6563547ECC210575E1DF5EA10A91E2F05D31C1B8B6443CE9F20481B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:50.782{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8877176848EBD2CB0E7A43123B0E263B,SHA256=BDB3E23B2146C9889D7776604199CBCE76BA216C5666E24448F3E1CCAAE33C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:50.696{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637C8819094A8C58B53D4BC709EC8CAF,SHA256=EB6005BF8F00B39CFA94899175AB42DEBF4849F98405808EAC9DBADE50B06DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:46.064{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61652-false10.0.1.12-8000- 354300x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:49.698{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:51.797{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3223D11BD72025A4C1891E38709DE3,SHA256=959AB15FE8E31718F1701860EF781263B96ACB4D6A3D65158D727679A0C56C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:51.712{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84E0F6503334FBE178E837BC9598CF4,SHA256=B9BC441E255D47A985B95D433D083872F87C998AE7762B7F272897A602658B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:51.258{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.726{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CFD59303D376D7115852307F20120D,SHA256=41F056D8DE45EA096FFDE86ACE8BB31F5C77FAE69F8F2011A3B0183FA567FCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:53.741{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6ECEF03EFA5E02A2659A2E7F0FCE1A,SHA256=88378EE5AD0E72F3AAB1EFDD9210187C97BC0ED1C150FB26FBB483F7C0E3727C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:53.032{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E52213031F3B7637D7AE908541D3E1,SHA256=3C4EF387E9C33297D53AFA42F3E78D463C9BAAC5441B3B287FD25FBFF9F18A51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:49.181{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61653-false10.0.1.12-8089- 23542300x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:54.250{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D73AE8AED39EB8C614501D41DD2E6C2,SHA256=D11FC787A75ADE24F5378F0B935D684C741FE8619E74DFF03471D01CF52B2413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:54.756{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1E457AC8416BDE04DD349A2763D763,SHA256=29B3041BD2E56C7A4E1BF97CFD99012A2CC7765CBC56AC0DB5B02DD5020F6216,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000048220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:54.457{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000048219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:54.441{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x800000000000000048218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:30:54.441{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 23542300x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:55.328{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2DD25A796D1ADC90F4E4B14CB9040E,SHA256=95CC9AB1D156FE2B9C5218528B304F2A3137E09A0E4FBB9B34D59B6992508608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:55.775{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82B303CE91D78FDE94323CDB28EBD56,SHA256=F643D18A03A87DA61E04391D63A000FF944550A84B581C98A7FF032FAE93E467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:55.478{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCA36D706358E738971D07892FA7D838,SHA256=B385A2D57215D41984D235A1705071B1DE6A1728C2F260C38B16C97191F3F5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:55.477{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F9728A1DFA8A5EEDBEE2D248C3BA1A9,SHA256=66EA9E11D1B54300429F5970354A16FECCF8A1F8B0F59ADF066B756E87BEA841,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:54.730{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:56.407{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3F7472FBC01652421E53E108AF3CE,SHA256=18E088EFFAE5CDB5381176C95D2FF709F973C60B9D95DFC72CA608AEB20AD7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:56.809{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B298688C0C86828C6B489479936D3C38,SHA256=635219AA8306EF1AAB54A825A5DE90865A560EE4B5242928DE3618C1BE414E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.407{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61657-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.407{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61657-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.399{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61656-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.399{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61656-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.377{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61655-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000048226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.377{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61655-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000048225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:52.092{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61654-false10.0.1.12-8000- 23542300x800000000000000048233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:57.823{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4335B0060D9F3BBBC82E3FD873E7B12,SHA256=776BAE89D18367D10A13212D192E674237DB4B2FC5F363386A5F6731879784B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:57.485{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0F94B3AF62C30E463463A7AE8C5511,SHA256=2CAB466F653C1C84EF5F258426E44E82ECF7ADD935F8378C3B832FE99FFDB3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:58.547{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D74737659403647D2AD1FCEAAA06B,SHA256=5EE5ED8C09B17018AB9EC22E6DDA794922A251B48CDF438A4F7DD33383763B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:58.838{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADD0E814C249652B7299A99ECCA4C45,SHA256=B8DB2C638946EA008ECBF5240F5E7BD3BED51E7469863E4A21945FA3F4FF9BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:30:59.766{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D3A778C9D4C8ED84FA92964979AF82,SHA256=F4FCB9AAEA5EBE12E076D06F8B9D72E3FEDC43DEAECF586965003AE2639DBAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:59.838{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CAB6AF426736CAA1EC2B00E492B421,SHA256=400E4193209A8C2F18268A1ED6DC6ED1357450712B23CF8238A847D0F9D372B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:00.813{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5861950096AD2139660E237ADAFCEF5C,SHA256=8035EDB6E5D313C57E0FE6DC3168CEBDE1CBA06F199F28941DE14CAE1C1195A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:00.872{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6B6576E438255C37B9C2465ED9B71A,SHA256=C5C2D02429BBAD3023F6EE58578481400B7567C42CC53C7FDE8E36064203C0D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:30:57.126{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61658-false10.0.1.12-8000- 23542300x800000000000000048238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:01.890{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01323AD24AEE65475CA8237705161316,SHA256=6469F0B5A14A4B94EAB26F01F02F3090FE8C164A5B3B88C57FA5C54620E4D682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:02.906{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B2EC465473D1F920A2998BE0EC0FC7,SHA256=88B1649DC26DED35475B812483A90F64A81BD83113A7D10F018D76D2216DA2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:02.047{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A69E96D2E2FB9DA74269756B3D10E4,SHA256=03A5D6DC2426EC6658E01BFCB75AA3A00B193799FC60F157E42EB68365973240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:03.921{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5FFDACCE727294521D61CC818D7F6EB,SHA256=87C847658DC77601857F0927CA8331220C45C7EE1C000E38F1A37A03CC50BA8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:00.683{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:03.094{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33FC8C9D8C7CBA292AA03E0DCFA0517,SHA256=C918B0E22DBBB3996F44DCE75CA68FB42720F171BB8F40C34BA37B573DCE9DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.936{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6501BF7AC10CA04D981BB52FC4EF5C,SHA256=DE5E97DB37DDC15B28F64F09ABACDD449896023601F84EC8C7404CE643832A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:04.110{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E03C1E347CBE03938AFA2B8F88598D,SHA256=FCEFC279B3435F0F8C218189046C836B910C612B787E70FDA9D1933D48F67C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.773{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1CEA3A4653337BF7C1374B18978A5890,SHA256=406FA3626376B57F439CD83019557BEE0323A2159E55FAE0C8A9DF10357F9D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.773{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=0192E5FD08FFC3B426A860EE36E3AF7D,SHA256=82BBE7A71EA9E20DC67FB8B9CFFCFE98C36D20F99175E105B2B968CF30E72491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.773{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E5D6B2882F110FF6BB4BCD5ABF58E722,SHA256=0E7744E9A1918B32C49B73BF5F5C175FC5D378610C1A626D5C7306B682F5A7C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.773{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=39FD93A88CB2D6B499B877ADB39BFDA0,SHA256=6BED1EEEDEC0FAD6989BA58A6F1AA8B8EF8689A0188D792C27017BD952C260C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.773{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=3797A306B0325BB5B2C28AB8B72972E9,SHA256=8B1E3B11DB85DE22DD811E7387C6A1A8E037A2E3655AACE8A2EBC7DECC67545B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.771{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=08392B70C48FE1C122063594207947FB,SHA256=D356226EDDCACD6F6A23653DF71100396ADC7D1337BD55C1580B835CEEBFE02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.770{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=2046AB7E3ECB42FA468DD02DC42CB333,SHA256=24F5EF2D0EEAD4454B0D827CB3D76930300FE2F1A84AD18E6AAC955F3DB01580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:04.769{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=7E0BF58AF1D14F8C281DF24E5862416D,SHA256=36DD1DAC0C55B2C81813F18D95740A393E78BA79CC0799FAED348E60C40A619F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:05.951{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60993091506886406D9614B2034FDCC6,SHA256=7A2491BE8441D26E2537F4AD7AF9EC607410444A8B63CF33875CCFED57EF05E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:05.157{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE298055BC0DFE67E93923DEDEF5A46,SHA256=4D3E2CA12E3606AF236475A1E54E0F9573C764D498599DF46E81E080A45F8678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:06.970{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D523CE5FC32C0F8F85DB621F164115D3,SHA256=500ADDAFF0BC28636A1E826C1CE3FF44479A1D155E5C1C254BE1DA8DCFA3624D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:06.391{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E497629F6D4F396FBD794992EA638A,SHA256=EBC1CCE0C39F3EDD5FE7116D2A58AE0542E2B4714362F815AC9FC4365CC2DFC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:03.155{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61659-false10.0.1.12-8000- 10341000x800000000000000048255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:06.404{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:06.388{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:06.388{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:06.388{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:06.388{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.938{D371C250-BC5B-6124-D206-00000000F101}8843288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC5B-6124-D206-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BC5B-6124-D206-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.735{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC5B-6124-D206-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.736{D371C250-BC5B-6124-D206-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:07.625{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC063771E9FA56B86DD966BCACEF173,SHA256=4C47EC2F37A22E8802F6D8C3A6FB3F9549C795E54F0E1CA14257E73F0FA4EC73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.987{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.987{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F546C48034B333CE78DFA039C8372A08,SHA256=C2F3DBDCB52FD8A6B368132626FB3BCE5673BF7E64799DDA3531513A9C37F726,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.971{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.971{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.971{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.971{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.875{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53EAF56E4345CF96B1B6198AE4E0BCB,SHA256=3C48710094C1CA61DAB54ABA059E14474600CE72A22EFF60743DBF3E9B7726D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.875{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E286306C9B0E61BED40915F3230AA7D4,SHA256=14AB72ADF522E0426DFE35DB3ABDAF9D42183E047DA5487252445F183F364F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.875{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FEA3DBC5F611C5A272B3E21EC1CAFA,SHA256=71C17E8631A819022DBA3F96265983DD79E1B835F66FB7C25700A3A4E33342EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:08.987{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC6046D35323B43552A23B004222932,SHA256=85321CC3D9E1363F094A0B765510BCA15C07E6E0E5A2ECF6BF2A31FFA5861DD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:05.746{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC5C-6124-D306-00000000F101}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BC5C-6124-D306-00000000F101}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC5C-6124-D306-00000000F101}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:08.407{D371C250-BC5C-6124-D306-00000000F101}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:08.366{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B3B2C7AB689705310D477077752AFCCB,SHA256=290FDC91F8B95C56A1D79344B6D3A08123EEB946C13CB9EA0FC5DC2DB0E8573B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.987{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:07.987{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.875{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF13566840FCCC6D6E2DCF644D2D39C,SHA256=7A25AF7E259D2AEF7CDBA42920A7976BEE560FDDE29AA95FA815DF62984C32B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC5D-6124-D406-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BC5D-6124-D406-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.078{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC5D-6124-D406-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:09.079{D371C250-BC5D-6124-D406-00000000F101}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.171{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A53EAF56E4345CF96B1B6198AE4E0BCB,SHA256=3C48710094C1CA61DAB54ABA059E14474600CE72A22EFF60743DBF3E9B7726D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.139{D371C250-BC5E-6124-D506-00000000F101}15043244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC5E-6124-D506-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BC5E-6124-D506-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.014{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC5E-6124-D506-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:10.016{D371C250-BC5E-6124-D506-00000000F101}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:10.017{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B3DD22B96EFDE6405C00178082F303,SHA256=CCDDA22ECBEB096EED12B90E825D247E6165B267BECB16ABCCA095AC09B05011,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC5F-6124-D706-00000000F101}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BC5F-6124-D706-00000000F101}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.858{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC5F-6124-D706-00000000F101}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.859{D371C250-BC5F-6124-D706-00000000F101}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.358{D371C250-BC5F-6124-D606-00000000F101}7362824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC5F-6124-D606-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BC5F-6124-D606-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.186{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC5F-6124-D606-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.187{D371C250-BC5F-6124-D606-00000000F101}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.108{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835E27DC43110748B20E63BFFD82C060,SHA256=7F00C064CF85C2A5BAA29B813BC8DEAF0453C6AC53597B4D87B5207F53865051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:11.048{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B3D4654E5CC4834109CF4034B52181,SHA256=9B0B0B16F1B048C05DECF9D55D6860E32F998D0CF3FB1A7A0E73DA0E77FD95A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.764{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFCEA84D1DDE39BF6C27D14E86985EF9,SHA256=0ACC4AD008DFAC241FC27848241041C5554E4ACE6FEFF60A18A1E4B901AB6CD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC60-6124-D806-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BC60-6124-D806-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.749{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC60-6124-D806-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.750{D371C250-BC60-6124-D806-00000000F101}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.530{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29CC8EDB47F732DB80D2B0B53EAEC25,SHA256=DF1AE63A53DB0F065ECF03072C9A11F2CC61D686E2CBD01D397F4E2017AAA065,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:12.218{D371C250-BC5F-6124-D706-00000000F101}304292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:09.152{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61660-false10.0.1.12-8000- 23542300x800000000000000048270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:12.067{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495D08414921AF7BE65BDFA53E13C031,SHA256=91CA104262C04BEF54A3D4581C211D0612DE834878F99430F559BEE1F49E9441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:13.843{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2093CC0C9E90CA55C0101DE96ADF5C62,SHA256=2E9EF8C3333898A99C716C30A2ACA9565D2C5C2AB7C238878D3A0844F2F8B171,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:11.744{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:13.452{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369726D384784757FD9313475BB46566,SHA256=92ED6187B1D80283CD9C7060E6E97F5C331AAE00A9BB8AC7B9CA979B7FC75C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:13.084{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733D350CBF770F4F7EEC51633D8DD422,SHA256=FB298800BF9D6571DE191F8AC4DBFF89A5FA77E9D876D345DDDF8043ED188643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:14.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F91743731C55573FC0E59491465C46B,SHA256=7D1F1661C910EDF2ECC384525AF149533458B83CF8C8EB27114E84E7A56A8250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:14.814{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad1.ps1@2021-08-24_075548MD5=D029BB21B1157D81D1EC904D6DC03F75,SHA256=7840B72744E37421DAAB9D9BA8AFD31F83FCD67ADCF69FC8CBEA6AD4B7A17AAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000048275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:14.814{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.ps12021-08-24 07:50:56.099 23542300x800000000000000048274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:14.798{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.ps1MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:14.099{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC40E746B8EE6C95194F5B1CBA4CCB33,SHA256=7AB2494A4D97C72034067AE1C80653D4A008262CC03BEAE177BCC5C9B5FFD6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:15.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD1A7EA55333DF5DC4CB97E2BDC23D8,SHA256=83FE70EBFC4013885422F0D3396AA21106195D9B294B44EB4A9C5A813FC464CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:15.129{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD72774DAD67217A2718545DEE01855,SHA256=39194097A8A93BE8750F3A6EE97C1180D727CE35676FF0EE2A1B8D5B3005B1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:16.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B20A9763F357CF44C8CD98C89F0BFE,SHA256=C1015F9BA2A99D3CA7F3C354F4BC5B91BAA26808C02F80F19846FF04E697B5AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:16.145{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E60876270453E481A287869969ECE4B,SHA256=65AF96C420E307DCFFDEC19D3363D6C7ADBCCB1927AA66FF24020503BA68E4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:17.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D215D00CB18A47F3C4C04ECE25FC23,SHA256=A59B4013B2A5EA717CB52138139F19C5D0F7D24B865B88F1BE471B25A45DC2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:17.164{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B78D3A1ED21E7962CF91D9A7C494323,SHA256=D1B848D64CB5A0FCE4719C27C96AF26097209AB3B62DD68D60FCDDEBC6847FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:18.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8E0117743123EDF2AD9CF21925A18B,SHA256=1E4FB952E4C32D2623504F9B4E6D3724B655CF8341C8982D51B57BD50334113D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:14.995{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61661-false10.0.1.12-8000- 23542300x800000000000000048280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:18.212{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8B78D1CB3B1D296B3092745F464952,SHA256=926DA67EF6FEFA5A6D7747943EDC47583A8BDE76EEC76F1BAD5EC0A9B81D7763,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:16.807{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:19.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93148987433881B5B395B211806742E5,SHA256=F449B32F7B785DA4D490CABBCAEE8C5ECA4660A02285F41B839606943A39F28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:19.213{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BD31AD44DD89F368BA01948E4936FC,SHA256=8F5622D4137C224376C042005F162793829B97D894EC8F18E5D8A0E1FEDED7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:20.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0777D497D301614395CC3B52678C7D6,SHA256=3E56DFD190821005F0EC7E55E0435622549AC1533106BD81DDF57F12BD512596,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.981{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.981{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E004B28A10A71FB185346EA823010D80,SHA256=913DABE67635C4027BE80532B2AEF0C340BAEF194C87C719796DCDFBD62EFCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=30228391687DB2B81A561EB9EA53026C,SHA256=1976CD3694049B0C7A8FCFEDA69A15D4A14670982181CC159CE2C23CAD63872A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A83274033B40DDB77C5EEAAABF492340,SHA256=E5F8BC854FEA7154B72DF3A2EB037869D9A696673C23E69AC19540BF14095E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A8BD7B39986B016E79BCDE100857A3DF,SHA256=D39E9CD4F8615D4DC1DDAEA2A9E5665F2F34BDDE80AFF43E1B7E375C3ABB152E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=8E097E03F8C611E13DDDC3DEE073C0F2,SHA256=A20BD35B46BD317866B166383FB1A7F014A8900A1798215C5D86B1EC1D6D5B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A6AA66F0C3065E926AB30AB9D01020E4,SHA256=D2914AD72EA53F05AB9CF648ABD08A9A97559AFB188F1EAE3C44FCA6BE68EBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=58CA41C48EC02E55B560F581411E8B3D,SHA256=45008CC55D0368F647D0A835BFE43A621EE7E77D1FC1A1AFE949471BE01EEA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.612{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D8C765064C25765FBA707044116A121D,SHA256=4E1DFD7C963C6E8D3CE9C4A3A525ADDB35542781B8047832EC85633A2ABC29BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.244{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9774BDA5C42637098B6BF913F4F8F9B8,SHA256=D5A49AA47CBADA3D8B0B1773229F49298C89D12450D9CF8766D960C5C8E98281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:21.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8DC17EDD533EBC92C92847F5658BE1,SHA256=230D6A5EACD5EC3DB5FB402D33B346F365628427EFB7BEC649FA558B3B0A27C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.328{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BD-6124-9406-00000000F001}4268C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79899|C:\Program Files\Mozilla Firefox\xul.dll+e7ad5f|C:\Program Files\Mozilla Firefox\xul.dll+1195606|C:\Program Files\Mozilla Firefox\xul.dll+e766dd|C:\Program Files\Mozilla Firefox\xul.dll+e5e5f0|C:\Program Files\Mozilla Firefox\xul.dll+1ef0312|C:\Program Files\Mozilla Firefox\xul.dll+1a31108|C:\Program Files\Mozilla Firefox\xul.dll+1a3327f|C:\Program Files\Mozilla Firefox\xul.dll+17a86d7|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1b7ebc9|C:\Program Files\Mozilla Firefox\xul.dll+17a8b7c|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1b7ebc9|C:\Program Files\Mozilla Firefox\xul.dll+17a5738|C:\Program Files\Mozilla Firefox\xul.dll+18963ae|C:\Program Files\Mozilla Firefox\xul.dll+1abaa4e|C:\Program Files\Mozilla Firefox\xul.dll+1ab5e8a 23542300x800000000000000048296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:21.265{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AC605F96CFFDC9711639495E59CC95,SHA256=0E962117C6B3586DB94A776C76C65F19CC2C111DFA6A893F269B8823326E73F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.997{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000048294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.997{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:22.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F05EE73AD1FFC3ADCA79866517969B,SHA256=C24E852DD2391926AF69FA1C7F42F20988D9175705A1D0B663506AA706B46A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:22.544{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB00FDAC9FB2BE5432E43B6F8AE158CC,SHA256=FE16E264A1EF837996C2B4BBE1370F6A3ABBDAC4039E776ADCB2DD2C5680817C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:23.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C7BDD5645F6273BF5CF1B6417FFAE,SHA256=A386917CC67D827320C61B231788F0B5BB4DE54EA9FD431E4B33468FAD743AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:23.563{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DBCED0A2A73C0EB0D265F2F88ED06E,SHA256=CBCCD787DB92248E6E62863FD3AB7580F3A81D78680EC616A551033AA5C575E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:23.344{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BD-6124-9406-00000000F001}4268C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79757|C:\Program Files\Mozilla Firefox\xul.dll+8dea37|C:\Program Files\Mozilla Firefox\xul.dll+8d2f14|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:24.561{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F62C3EFE32130337D0D17056A4EAE8,SHA256=F1A92A4693C86FFA9E7EF123430E9BA18EB14F31F40641CC292EB19FA59F87DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:24.581{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB84E0AA5FD1620EFB4DCB35E9CAF38,SHA256=6609228BF470A7631264FCA28D2D8683C5241FF74B37D58D6BA169AE94283E2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.865{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.865{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.865{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.863{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.863{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.861{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.861{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.696{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC6D-6124-6909-00000000F001}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.696{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.696{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.696{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.696{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.696{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BC6D-6124-6909-00000000F001}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.696{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC6D-6124-6909-00000000F001}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.697{80A11F3A-BC6D-6124-6909-00000000F001}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.596{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A98BA147E1EE8ECBD4321D3154D647,SHA256=18128C156C5344BCF5D5D4E5ECA8CE0A7B748756D3CD46CDC4D3470F6892E6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:25.561{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825DE2A744F2BAA62F570CC2D1F1F679,SHA256=3582812429486C1DBB5B884FBEF810810504D4E98B0F12047FA671A55CEA4835,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:22.666{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:25.418{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-117MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:20.998{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61662-false10.0.1.12-8000- 23542300x800000000000000048354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.598{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70715CC40C93A1208D200B8279F4D148,SHA256=D5FC736CE01E2408C09A7F55A86D35BA30F5C29F25CD9E805594811FF4983A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:26.561{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F9A6C4A68FDA520F68F3B2B67F080D,SHA256=4F60DA7F84F15D420EEA2CB64C135E9EAD95F259D754B78778AFDD4112F8374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.415{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.366{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC6E-6124-6A09-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.364{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.364{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.364{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.364{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.364{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BC6E-6124-6A09-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.363{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC6E-6124-6A09-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:26.362{80A11F3A-BC6E-6124-6A09-00000000F001}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:27.561{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D65E293BD09E60C3A57706C62BCF695,SHA256=519A1D831175DD7F3D6C75BC640D95CE11F5BDAB125163D3B9417A88AB941519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC6F-6124-6C09-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC6F-6124-6C09-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC6F-6124-6C09-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.814{80A11F3A-BC6F-6124-6C09-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.629{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8464DEBA64E8AAF66799DB5AE5778257,SHA256=D6C870999DBCDA7E365AF0B186552758A945E2D5E68180BEAD735DA6E52279B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.183{80A11F3A-BC6F-6124-6B09-00000000F001}37244828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC6F-6124-6B09-00000000F001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC6F-6124-6B09-00000000F001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC6F-6124-6B09-00000000F001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.019{80A11F3A-BC6F-6124-6B09-00000000F001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E3888832D87D79EEDAE9D81834F216,SHA256=F56B401148B627583F8E0C7FB4A308FDEF97448BEFC4B61F0DCC02ECE0D2956A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.014{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCA36D706358E738971D07892FA7D838,SHA256=B385A2D57215D41984D235A1705071B1DE6A1728C2F260C38B16C97191F3F5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:28.561{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25744F47E6B373E307F520C3BD66F8,SHA256=144DADF322835E151D23AF18AC29AD31807DBABA9FBC4F73F523E8BED0A8B6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.644{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1C92BF5BDF50F7370157337BF2BCE4,SHA256=25A006452E8516DF150C0B934477DC9FCC07FBEE24BD9E991A614BB952C1FF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.613{80A11F3A-BC70-6124-6D09-00000000F001}58322956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.413{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC70-6124-6D09-00000000F001}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.413{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.413{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.413{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.413{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.413{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC70-6124-6D09-00000000F001}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.413{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC70-6124-6D09-00000000F001}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.414{80A11F3A-BC70-6124-6D09-00000000F001}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E3888832D87D79EEDAE9D81834F216,SHA256=F56B401148B627583F8E0C7FB4A308FDEF97448BEFC4B61F0DCC02ECE0D2956A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:28.013{80A11F3A-BC6F-6124-6C09-00000000F001}54964808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:29.577{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FE20A5A8F79EB16D444C6D28A023C,SHA256=AEB0FD9C8C3315B51577CA0996F320168DC7837BAB2F2901E85AA2DD7029B520,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.698{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC71-6124-6F09-00000000F001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.698{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.698{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.698{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.698{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.698{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BC71-6124-6F09-00000000F001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.698{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC71-6124-6F09-00000000F001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.699{80A11F3A-BC71-6124-6F09-00000000F001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.644{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B45E79AC9CBA62C986E1B891487146,SHA256=E00EA0E22FA436DCCD78522EBC1C8B7E0A6AC417A525ADD4243C9369DCBDF7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.429{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1362D5F8E8C1F6432EE17E05676C61A,SHA256=CF1A932F08C617F0F3F3CB4D7CC5CFBD92AB28F452B1222F0BA5A9E95C9FBE16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.282{80A11F3A-BC71-6124-6E09-00000000F001}62446284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.082{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BC71-6124-6E09-00000000F001}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.082{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.082{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.082{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.082{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.082{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BC71-6124-6E09-00000000F001}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.082{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BC71-6124-6E09-00000000F001}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:29.083{80A11F3A-BC71-6124-6E09-00000000F001}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.914{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224E2CF393DE18BAF1427868A6803283,SHA256=8AC1070D6D791B58B3DE6A4134BF80A3FAF9305BCA4713F1C1104C281E7218C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.914{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14F7983AF6CC403DD8E1EFC8606144D,SHA256=6057930F1EF4EADED092B56D28E3BC8E5749E0C5ED588FB51B71903D2F6BAC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:30.579{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508EDA9BD4A58D586EF1403EAEE6B440,SHA256=1E11B7AD0D407AC53112C9C464522ADEBAD3D75C4B719EF30CF0E2C39FF1A17C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.382{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7109-00000000F001}4748C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.382{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7109-00000000F001}4748C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.366{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7109-00000000F001}4748C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.366{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BC72-6124-7109-00000000F001}4748C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.366{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BC72-6124-7109-00000000F001}4748C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.366{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7109-00000000F001}4748C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.328{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7009-00000000F001}5088C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.328{80A11F3A-9FFD-6124-1400-00000000F001}10606532C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.328{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7009-00000000F001}5088C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.328{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7009-00000000F001}5088C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.298{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BC72-6124-7009-00000000F001}5088C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000048456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.298{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCF0583527844F0211C73C5C79EE758,SHA256=0D555A10BA234564D558143E4EDB863390E78E499BAF1AF51A6D0A3BB812EEE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.282{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC72-6124-7009-00000000F001}5088C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.282{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-BC72-6124-7009-00000000F001}5088C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.282{80A11F3A-A44D-6124-C404-00000000F001}48966256C:\Windows\System32\RuntimeBroker.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44D-6124-C404-00000000F001}48966256C:\Windows\System32\RuntimeBroker.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000048451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44D-6124-C404-00000000F001}48965764C:\Windows\System32\RuntimeBroker.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44D-6124-C404-00000000F001}48965764C:\Windows\System32\RuntimeBroker.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44D-6124-C404-00000000F001}4896996C:\Windows\System32\RuntimeBroker.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000048446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44D-6124-C404-00000000F001}4896996C:\Windows\System32\RuntimeBroker.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000048445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44E-6124-D004-00000000F001}41605532C:\Windows\Explorer.EXE{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44E-6124-D004-00000000F001}41605532C:\Windows\Explorer.EXE{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44E-6124-D004-00000000F001}41605916C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.266{80A11F3A-A44E-6124-D004-00000000F001}41605916C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x800000000000000048441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.225{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=F7384AE608E96F719FB0DA95FA962E8C,SHA256=6E1A65929FE97EBD92045FC13C0ECB7C17AD32CFCC8261C78DEC7BC65B3EAB1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.225{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.225{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.209{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.209{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.209{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.209{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.194{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:27.807{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.192{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.192{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.181{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.181{80A11F3A-A44E-6124-D004-00000000F001}41606932C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.144{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0D00-00000000F001}908940C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:30.128{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.928{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D3CADD3D60175B1C385EA40AAA9AAE,SHA256=964D7AC708423FA29ABEFFD2A777D5777800813F4AE8083417A4827CCE79025E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:31.579{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E20007157CCBA14530C09DC8628DC5,SHA256=F886DFE7A6AC66EA06898EB804A697851DB7E19580A6E3D872FB33930C1542F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41605916C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41605916C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000048483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41604616C:\Windows\Explorer.EXE{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41604616C:\Windows\Explorer.EXE{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41603088C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41603088C:\Windows\Explorer.EXE{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.166{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.160{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.160{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.145{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:31.145{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:27.033{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61663-false10.0.1.12-8000- 23542300x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:32.954{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:32.579{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95134971ED8C866D4448A9BCB8B80B6E,SHA256=A68190167993CB627C799E7A37CE432BC737C4C89B7448703FB251357F927C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:32.943{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A14FCF8494C0E5C0C9DC0A63AFBF0F8,SHA256=90E4B32B3872476E57128E07A0AC8188F354F339AB18C9454865710CD4D25BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:32.028{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad1.bat@2021-08-24_093130MD5=7AAEAD3D2409E2BC5AFB8EC85E8DBDAF,SHA256=635BD37BC1CFA5F2B4143718D8E0E3FC46EA0E03C5805918EBA9A070891A581B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000048488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:32.013{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.bat2021-08-24 07:50:56.099 23542300x800000000000000048487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:32.013{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.batMD5=9ED9C08869DF39B43916B1B9F18E7476,SHA256=9C2FF6F5A2D2665C51D4543C44B45E8C0303569393B57B02D8FF9909B9D3C323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:33.962{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617F927C77F0E03CA8D7C2BBF7198431,SHA256=1269D74F18275944B97E583A1E80B509260966D5B83A943493C073F664A187D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:33.594{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311B2016F74C60F979BB9BECA76923DF,SHA256=6C45F85E044962E0647E5186F55D32EED893647823CF17ACC4F5E199EB05446C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:34.594{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95720B0B63E9349ADDD3A123408DC278,SHA256=7B97AB3CB51DDC5B43DB94AFB14F54C63B0ABCE6BDFD0A37019E9E4EDB7A9B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:34.983{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBA17D2978F2C1B56171C9CA59CB049,SHA256=2C3372390E1B8E5C08677E6BEE810BD7D1CCDECE2B1F9F6806AEA6208AFC6431,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:32.559{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:35.750{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E31ECF304EA31A1BF13EFABC8D7E94A,SHA256=AF14260A7B62E5A2D16382E5EBE4F3644C4FA528BB5F2396C991CA329742240D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:32.824{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000048496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:35.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:35.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:35.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:35.814{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:36.766{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F8988F9B3D9693C62B4EBC01B420BE,SHA256=4005D2AC3C3D5A771B95C4947A5C5D485522B320ED0C3CBD67FA268F9BF15D44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.644{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.644{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.644{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.644{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.644{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.644{80A11F3A-A44D-6124-C504-00000000F001}49965640C:\Windows\system32\sihost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.461{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.461{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000048499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:36.461{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x800000000000000048498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:32.050{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61664-false10.0.1.12-8000- 23542300x800000000000000048497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:35.998{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88575DD9AF2804A36A8D2134ADB8593C,SHA256=55545DF86B2610448D7244928A273E7F691139295904A4AEB83047C6BA6E4E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:37.907{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D3010BBECC750A7EDB142B2673D9BB,SHA256=9DC30F4A4C52CDE763C60F2FF5E9A5DEC99CA81BBDB7D57F474EA58775F0245A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:37.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1240C9296D17BEC6C239398A1FDED50C,SHA256=604E4E02937CD136ED07AD7ECE19FE8C555DAC7A03CCD15EC9DC6BE946030835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:38.743{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0BD7FAF8B90E845AC93C8269165E95,SHA256=27F8B7F57B2745B2ADC4CCC0BCC56854C3CFF147592F556ECF1A8088EE560ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:38.743{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755072AEBB27905551B2478CC5A0976F,SHA256=4C73FE6DF7AA629338AD47F7FBB43C1001ED556ED9D6DCB6C0A51FF629031932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:38.043{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F368BA2B9C3829C3C706476BA2FE724,SHA256=1E988F8533A1F80AA7032A53B59725CBDD223CFB61F3399B32BFA211F201510B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:39.016{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B3A9AD15F629A6E47215AC6125436D,SHA256=F02D63B7B1448E8A0A8C5E5C4C98CC76F87CCBF532764EB16197E54A13AFF2B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:35.664{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61665-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:35.664{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61665-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000048512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:39.062{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7390950304DB76B7ED8BD0A0F7E63BD4,SHA256=8815DCB074D93FD4102C5F4E52267095B97806B89094E3B997259DC933557F80,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:31:40.579{D371C250-A1CD-6124-1500-00000000F101}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798ca-0xd805c4f8) 354300x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:38.731{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:40.235{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E2BBD8CF91B658C7CB4593A7A29E42,SHA256=DA3ED79E1B0B700A3DB3E2C7D4B10B7C445B2927C60FD07D7A8173B29523ADBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:40.085{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602E42CE06AD3B076B1C2FD9D5E61E4E,SHA256=C7FDBEC522EDE474CCD7DDB700D04D7D5466ABAB792F692826671E2F613FA064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:41.613{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-110MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:41.392{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5FF8614CD621D77D78C77FEBBA02BA,SHA256=A2D255A97C6A990B78F7A9B99CC92E5904CE0D0851C689ED2FCD52CDC961CA88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:41.231{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000048518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:41.231{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:41.231{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF6f6332.TMPMD5=DE2C2DC7AC7CA60981DEDF95D7D42EF8,SHA256=FCA4BAB71BCBD425757363A708F77D849276031ABC30B3CE7F82EDD60A2457E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:41.100{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E86DFAA1E9536B3D5A2640096B56663,SHA256=01EB725324CC56F931F32CD8BB105CDB39CE96C4CF25D38BC9A2429B55CAD39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:42.619{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:42.414{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F8A32C367DACCD25FA47C1683F5283,SHA256=1D446DAE17E3C42779634035BE83CE25567BC8A4C966F34A2B2B9E43D630010A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:42.199{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:38.099{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61666-false10.0.1.12-8000- 23542300x800000000000000048520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:42.131{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6B45529F1F95592738442D7CA4AC42,SHA256=71A6FF98C83E005111A6148B52C2E0170054C113B4AF34A7BDCB7142D401B656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:43.649{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59685B101B4069CEE1EC1379C5B09AF,SHA256=C41C31E01339D583C378DD08E7CF4ED3281D6033546144CB8B591E7AE2C1AD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:43.165{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCCA20E25399A148611B548ED205918,SHA256=37623AC73C3D4874F31850BF48C277F57C98B3B78626D66B9BFEFABF84EE6E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:44.853{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D366B2280AE67234264184B29395547,SHA256=0E51505A8DC457D97C3D8338209D402D1A9D9B01AC65DE29D42E26C262FAB7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:44.182{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91D51DD420E063AC9CA7928E0209F75,SHA256=951E0B936329C422B9DB3C17463FA649D3310717C0811231364BC66DEB3C8462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:45.884{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9EC9758E94FDA3B72004FAAAE4ECC5,SHA256=999D4824EE7A7319BD1B2975A577DB7AC492383D2487B7E3AEEC12F04E83FC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:45.197{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4E191C3639DA2D552A200971BE950E,SHA256=8473D20624149DFA22B026BE7974BC94D485E0FE20A7891D140DEA72B3EBB4B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:43.849{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:46.199{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B66D67BC7AA984122AAA7FCBF2859C,SHA256=1506311721B8B29AD283486519A016EE4A2010C5B76BE2C853BBF712F0EF4ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:47.229{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BF8D831B0D61E8ABCFBE7F58571F1B,SHA256=82AE5BBB7F1A6A3EC26C7FD0704BCA250C42DEC1BE89AA34630A6D5F9AEE774E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:47.103{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B4E9DD332680143BD5F7958FE241B8,SHA256=0F81A6777F8810A3466E8F138707713587FD40E0DD352FDE85061068566B4F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:48.337{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C7D26BA65C5775AC35E407C99D42B0,SHA256=13169456532E5F5D363558D025D18A67A6A87E66F614E509761E4B814FE047CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:44.019{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61667-false10.0.1.12-8000- 23542300x800000000000000048528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:48.230{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24C8741F43AA3A7EC32F2D06AC7A150,SHA256=495D364996EF63CCACEB6933C7DF1277464A7F19CFC16AC56B0C7C7E8A0102E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:49.400{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4398ABFA4DA7FAB221639010223C424,SHA256=875EA43396C8528728A42F4583B6506F79A6BDBA83EAAE83DAE852F311904AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.298{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7953C827FE74B6AA90DE50DC862764D,SHA256=4361B4286BCFDC4C2D50375D330E46988DA6C1963BE828174CB4E79077D48D65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.013{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:50.856{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5D58A6C10BB13B7AF131EB93DD03645D,SHA256=3AB3108A7F450084758472BC7F113930CDC38968D31E523C79851CF70788E8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:50.403{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846125C1AB13C44382E2683AE3F63368,SHA256=271244DEE55CF8AC05A5F15738314A48CD13D0DB336F415AFF9AAA3ED5FA9A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:50.299{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F29D5CD594D787FEE4207B8C85B336,SHA256=B79AFBA0E86EBDC81C4E258B33E8301A6B127CDC7E0628329F1B57EFA3862430,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:49.806{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:51.403{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10092EB0A735C245B2F3573D6093FD71,SHA256=11A203F2877F43F9B880537A96DD70F6BD677862C229DE2470E57D82C0523699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:51.314{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D012A030C8414A09857BD19842E7AD,SHA256=9CC4A7E6C88F6DCAD93FC0DE4EF81C9D23E783330F342654C31135B1593F3571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:51.283{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:52.638{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FE20825E7C31624B87B3AFA423C263,SHA256=0700F86F38DB6B6061E2EE5C958655E2F1EC253B2F62A69A1C3282D5272017FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.034{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61668-false10.0.1.12-8000- 23542300x800000000000000048566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:52.321{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E889568921C23E77E4286FBA36647D9,SHA256=3DF3A5E78B44BDE56D674FC89A13C6FC0BC01136885E64765C1B26839D102B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:53.638{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C6F15C056F23FCA2D469995F791CD0,SHA256=6849F3A0BAB8B35E768014B8AA243857B71549CFF9CC3B3D1CA4AD95B15C72EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:49.197{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61669-false10.0.1.12-8089- 23542300x800000000000000048568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:53.336{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEC635133B2D0B036B55F1C4D6EAB0,SHA256=D22E10BDDC15830DEFAFA391E8DB4272226746F29547E2534F3F008E583ACA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:54.638{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6A2F625313B607862BAF7C27113DEB,SHA256=13316272AF2A945FD6DE379380698483AC10E35F9E4B16E06C1F50793E5C21CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.935{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECE05E33043A7DDE44F32B78563AE850,SHA256=78978408D5C534CFCB1A2E7B45D68711F31CD78347E8260207BDE3CAE85B0193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.935{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0BD7FAF8B90E845AC93C8269165E95,SHA256=27F8B7F57B2745B2ADC4CCC0BCC56854C3CFF147592F556ECF1A8088EE560ED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.719{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.719{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.719{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.703{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.703{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.703{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.703{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:54.350{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CCD800A1F75592CC7F826458ED1011,SHA256=A72718CE51E15E35B96BE90E8F261DC75F85783D9C3E71AE00079048EE0C7DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:55.638{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EE661EF5DB45B6DD1FABB31378B93E,SHA256=28650D62364F7DE63339AA1B515371CDBD1786DD6315F64F5590DB5A108B7F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:55.370{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E84CA8381CA0493A60A382BB21FC1D,SHA256=0AC79344869FF178F07933E2F269BEABB086B4949B4D7B57276C4C32FC03AD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:56.638{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F723DD062B0E74D2BA8DAD9E836D7,SHA256=DD837522B7A36449CCB73D3230E9FFD5086AF71597B1637636A3DE91119C02F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:56.387{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8CDEB643B52439A665BB0F7BE483BB,SHA256=C12717F07222D053DB2AD946CF5BC6D83916D754889ECB1EBD882393E1A60128,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:55.712{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:57.638{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840DF1F6F4124336E7DF1207EC6FB487,SHA256=36614E5D056864DEA7CEE7D6808463553E686FD66EC864987E64F10D179B4107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:57.418{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748EF97F54561B34BA2630C83AD41349,SHA256=110E8FF2E9A6258F526D36B85ADB4553BDDEC82390EF6FC055939A8A4B8868DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:58.872{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFDF7DAD924B9E0C51C9EA8FC03C3B0,SHA256=875042E22483C0E3DE99F234D494CAAC040429314995CE41DEDF34995CF60880,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:55.054{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61670-false10.0.1.12-8000- 23542300x800000000000000048583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:58.433{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E7D7D3358BCCC8F0B65810297F7311,SHA256=F00B52A8047128C9106A293CC2FCF7CBB6A1F0291C3DC4A84C7E38A0228B71A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:31:59.888{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EF6CCDEB0A3B7B99FEB882C4B6D72A,SHA256=984ECBCFAB6764D044F7B8E1E38D2C4B80074CB58D092DB18630411273D12C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:31:59.448{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2777D68C12E7702633E6005F9E9014,SHA256=9144B080EABEB318A8366D3EB944324EE8F087DD423DA0E2842B81518A094B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:00.966{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFE11B367934161E95C086EEA002DC8,SHA256=535264DFC52EC9D9245FBAFE493BCB61A12EA60CC299975209D3DFA9FB770BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:00.465{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CDBD37C66E676F500DAD0AFCB9C1C7,SHA256=C3629C2EED748FC99BEA186F948267DD7410226604F9D41F9D041D5269EA77FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:01.966{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8515AC131B2C314E0DBEC81C323B5F2C,SHA256=A114B97E2DBB94D9F6ABA424BE75A8A6BCBCEB45740F267CA64BD5B8488A1E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:01.484{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2DF6A9AC1B4DB31B1C6380C672E102,SHA256=134DA16221D6D8DBFB526BDAFF464C21D03F823FC5E7B06F582716A02703D2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:02.984{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveMD5=97A533059E6DE09FBC62BC846212B08C,SHA256=6C3CE38B9C495CAA81A810D1665B2465A13C03F3F2D846FCE761C91AF8D04BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:02.485{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12B5FA41623AB69EDBB5F280C8369DA,SHA256=DA983FB95567A73B51EFE6F37868567E33923C6D2B1480EF8503A1CE9F986F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.983{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB7195B920BE28965DB697CF07242F00,SHA256=30868249B02EF42BC1273947FFC68EB3C79FA6AC6934C0BA5D74D3AC4CA04353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.965{80A11F3A-9FFD-6124-1600-00000000F001}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=0C066D90831ED2D80F04C356FDC1D203,SHA256=80591D35A45D0F3DBFDA42792D3BF59B10F403142A4531B51A4D68F10262ABBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.946{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC93-6124-7209-00000000F001}184C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.930{80A11F3A-BC93-6124-7309-00000000F001}2940988C:\Windows\system32\conhost.exe{80A11F3A-BC93-6124-7209-00000000F001}184C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BC93-6124-7309-00000000F001}2940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BC93-6124-7209-00000000F001}184C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC93-6124-7209-00000000F001}184C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.915{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:03.499{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BF0FDC4CE2AC2F4127D71CD6D1FAD3,SHA256=CB73C7F065B532133F62EC9CAA48577A5CFB3F04455C50A64A18710EA1E12253,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:00.868{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:03.200{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46BA99E646BF08424DB31436999EE0B,SHA256=2E7E59D5C3BA8765B2F845DD481A474C53AC29E6E1E4022587C20B62E00D3AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:04.403{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C58453BED6297845A58EA548A324D0,SHA256=CA426CA5A968EF36719B231B33B0B20B4FCA3CF833D26EBF42E1DDCE2E5B2D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.930{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F19A32E75305E74A7A04BCBDFA8DAEBC,SHA256=8365560E16FCF927E0F113313D82A45FC9B9F35C72174DE94F8AE3728735D371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.930{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECE05E33043A7DDE44F32B78563AE850,SHA256=78978408D5C534CFCB1A2E7B45D68711F31CD78347E8260207BDE3CAE85B0193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.515{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D167CEBB1748FFEB3A1944B7CEEA0E7D,SHA256=A681F02D352CC2BBCDFB80ACC6FF39BBA7B10C1731597FE0D381A876CCF3F371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:05.638{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E86B75BDD411CB5EC660124274B8991,SHA256=1CEEF4CF518786D6AF07E10C507A529C298E54571D9ADC993E322233CD9BD348,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.983{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BC95-6124-7A09-00000000F001}2332C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.983{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC95-6124-7A09-00000000F001}2332C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.991{80A11F3A-BC95-6124-7A09-00000000F001}2332C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet users /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000048658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.965{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC95-6124-7909-00000000F001}5816C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.963{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.963{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.962{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.962{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.962{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BC95-6124-7909-00000000F001}5816C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.961{80A11F3A-BC95-6124-7809-00000000F001}68644656C:\Windows\system32\net.exe{80A11F3A-BC95-6124-7909-00000000F001}5816C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.961{80A11F3A-BC95-6124-7909-00000000F001}5816C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BC95-6124-7809-00000000F001}6864C:\Windows\System32\net.exenet user /do 10341000x800000000000000048650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.946{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC95-6124-7809-00000000F001}6864C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.930{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.930{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.930{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.930{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BC95-6124-7809-00000000F001}6864C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.930{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.930{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC95-6124-7809-00000000F001}6864C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.942{80A11F3A-BC95-6124-7809-00000000F001}6864C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000048642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.914{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC95-6124-7709-00000000F001}4148C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.899{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.899{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.899{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.899{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.899{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC95-6124-7709-00000000F001}4148C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.899{80A11F3A-BC95-6124-7609-00000000F001}71444808C:\Windows\system32\net.exe{80A11F3A-BC95-6124-7709-00000000F001}4148C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.911{80A11F3A-BC95-6124-7709-00000000F001}4148C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 user /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BC95-6124-7609-00000000F001}7144C:\Windows\System32\net.exenet user /domain 10341000x800000000000000048634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.899{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC95-6124-7609-00000000F001}7144C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.883{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.883{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.883{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.883{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.883{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC95-6124-7609-00000000F001}7144C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.883{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC95-6124-7609-00000000F001}7144C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.894{80A11F3A-BC95-6124-7609-00000000F001}7144C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet user /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000048626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.861{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC95-6124-7509-00000000F001}2944C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.845{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.845{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.845{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.845{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.845{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC95-6124-7509-00000000F001}2944C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.845{80A11F3A-BC95-6124-7409-00000000F001}45683724C:\Windows\system32\net.exe{80A11F3A-BC95-6124-7509-00000000F001}2944C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.856{80A11F3A-BC95-6124-7509-00000000F001}2944C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BC95-6124-7409-00000000F001}4568C:\Windows\System32\net.exenet user /do 10341000x800000000000000048618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.830{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC95-6124-7409-00000000F001}4568C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.830{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.830{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.830{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.830{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.830{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC95-6124-7409-00000000F001}4568C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.830{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC95-6124-7409-00000000F001}4568C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.839{80A11F3A-BC95-6124-7409-00000000F001}4568C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x800000000000000048610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:01.052{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61671-false10.0.1.12-8000- 23542300x800000000000000048609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.530{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309AAC27AA5BE686513DB9544AFFAD4E,SHA256=928D6DEF4DE16EEDC7E49B7BD7ACA88E94485E82C9C5275DEF038C465D91A340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.045{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B2C536E3D191395AEFE737C069728AAF,SHA256=6972EB6B2FDA9578912F4AB0BA326F62F32011F5BFC5DC35991C59D4328C617A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.045{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=303EDBAC2B00393EA2C57A1C6A9CADE8,SHA256=B8E5C94061C3CB5B9EDDDB7E9643F07B51D6D7A4DE983E153BC2F3A8F62DA6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:06.685{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCBA3FA7FB988EE4B6CBDFD4B6F3A82,SHA256=2789727AAEC9D1BAC80BDF1A31C3921B4CACCB641773F6419A1BE7C7817BE385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.948{80A11F3A-BC96-6124-7E09-00000000F001}6972NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.901{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F19A32E75305E74A7A04BCBDFA8DAEBC,SHA256=8365560E16FCF927E0F113313D82A45FC9B9F35C72174DE94F8AE3728735D371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.785{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.785{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.732{80A11F3A-9FFB-6124-0B00-00000000F001}632848C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.732{80A11F3A-9FFB-6124-0B00-00000000F001}632848C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000048739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:32:06.716{80A11F3A-BC96-6124-8009-00000000F001}6424\PSHost.132742711266105275.6424.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000048738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.701{80A11F3A-BC96-6124-8009-00000000F001}6424ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_vjl2opz3.y1q.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.701{80A11F3A-BC96-6124-8009-00000000F001}6424ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ip03jzck.grf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000048736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.670{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ip03jzck.grf.ps12021-08-24 09:32:06.670 10341000x800000000000000048735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.648{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-BC96-6124-7F09-00000000F001}46881916C:\Windows\system32\cmd.exe{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.610{80A11F3A-BC96-6124-8009-00000000F001}6424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe get-wmiobject -class ds_user -namespace root\directory\ldapC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-BC96-6124-7F09-00000000F001}4688C:\Windows\System32\cmd.execmd.exe /c powershell.exe get-wmiobject -class ds_user -namespace root\directory\ldap 10341000x800000000000000048726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC96-6124-7F09-00000000F001}4688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC96-6124-7F09-00000000F001}4688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.601{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC96-6124-7F09-00000000F001}4688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.602{80A11F3A-BC96-6124-7F09-00000000F001}4688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe get-wmiobject -class ds_user -namespace root\directory\ldapC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000048718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.532{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E39848F92DD146311ECA94845F27738,SHA256=9FE8A46D2035E483DD2A3D1D4E945A100760359DE76643519A0452D362409994,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000048717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.532{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000048716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.516{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.516{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.501{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.501{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.485{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14722811B413C0DA929062A25F4CBC6,SHA256=9C6788735DA88048FA7F9C95E9B78963CB232C74BBE0A5033851C09F58145893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.469{80A11F3A-9FFD-6124-1600-00000000F001}12961704C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+102c6|C:\Windows\system32\wbem\wbemcore.dll+d267|C:\Windows\system32\wbem\wbemcore.dll+d531|C:\Windows\system32\wbem\wbemcore.dll+104fe|C:\Windows\system32\wbem\wbemcore.dll+25435|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.433{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.416{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.416{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.401{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.401{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.401{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.369{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.369{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.316{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.316{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.301{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.285{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.285{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1147D4B6E496D145540835F81FC46EB2,SHA256=95626964B9832E93ED63DA24AE6844E8DF4BBA5B04569BDD22DC1C90A7F3BB87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.269{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.269{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.278{80A11F3A-BC96-6124-7D09-00000000F001}2664C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname /VALUEC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000048690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.233{80A11F3A-BC96-6124-7C09-00000000F001}4508ATTACKRANGE\AdministratorC:\Windows\system32\dsquery.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000048689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.169{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\System32\dsquery.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000048688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.147{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.147{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.147{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.147{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.131{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.131{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.065{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.047{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.047{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.047{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.047{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.047{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.047{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.059{80A11F3A-BC96-6124-7C09-00000000F001}4508C:\Windows\System32\dsquery.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft AD DS/LDS query command line utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationdsquery.exedsquery userC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=0F173F934D6FED9B140763559F70DF65,SHA256=3201CC050F642D0B3AD759EDCF57287082200831A258FBC2F17B4C96B53A28A7,IMPHASH=D442E29184F60B794AD2B7508D569FC3{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000048674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.999{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC96-6124-7B09-00000000F001}6124C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.999{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.999{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.999{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.999{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.999{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BC96-6124-7B09-00000000F001}6124C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.999{80A11F3A-BC95-6124-7A09-00000000F001}23326296C:\Windows\system32\net.exe{80A11F3A-BC96-6124-7B09-00000000F001}6124C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:06.007{80A11F3A-BC96-6124-7B09-00000000F001}6124C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 users /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BC95-6124-7A09-00000000F001}2332C:\Windows\System32\net.exenet users /domain 10341000x800000000000000048666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.983{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC95-6124-7A09-00000000F001}2332C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC97-6124-D906-00000000F101}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BC97-6124-D906-00000000F101}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.731{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC97-6124-D906-00000000F101}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.732{D371C250-BC97-6124-D906-00000000F101}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:07.685{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853CC48B020C4526721139EFCB7F7707,SHA256=171D5719A3A75B1E6F64D1893A3E5DF12B51B2CA01D9D77642C0397796DCFD50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.469{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61674-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.469{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61674-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 10341000x800000000000000048756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.884{80A11F3A-A00D-6124-2D00-00000000F001}21482864C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.884{80A11F3A-A00D-6124-2D00-00000000F001}21482864C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.108{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61673-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.108{00000000-0000-0000-0000-000000000000}4508<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61673-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.100{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61672-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.100{00000000-0000-0000-0000-000000000000}4508<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61672-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000048750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.785{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ED30C4F7BDF73040D3ACB395CBCEAFAE,SHA256=92A9276B6E54CB6C93E7F5247484BF59B719FEAA87822F378150E40BFA1A7828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.785{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC9C7359D29C51CECF0B22A7C5D9F4E,SHA256=1A3D881EAD5FC48E2DBE0DA02FABDF3F23FAE8F221CFD4551DE51DF9741A8058,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.448{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.448{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.448{80A11F3A-9FFB-6124-0B00-00000000F001}632848C:\Windows\system32\lsass.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.398{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61676-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000048772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.398{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61676-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 10341000x800000000000000048771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.914{80A11F3A-A00D-6124-2D00-00000000F001}21482864C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.914{80A11F3A-A00D-6124-2D00-00000000F001}21482864C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.842{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61675-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 10341000x800000000000000048768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.914{80A11F3A-A00D-6124-2D00-00000000F001}21482864C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.914{80A11F3A-A00D-6124-2D00-00000000F001}21482864C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.815{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EA45CCEEDA3A750BEC121DE022BBFF,SHA256=27F9AF2007617302C959F0F0C7256DF9583442FEC676D03CB17214E7681509E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC98-6124-DA06-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BC98-6124-DA06-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.403{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC98-6124-DA06-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:08.404{D371C250-BC98-6124-DA06-00000000F101}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.384{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3B2291514C2C66C71440868D31EDDAAC,SHA256=066999079E2A0196B5C4DC6D530350880CD9B5192BB5D0E348C4584B5EAF71CF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000048764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.845{80A11F3A-BC96-6124-7E09-00000000F001}6972win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x800000000000000048763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.164{80A11F3A-A00D-6124-2D00-00000000F001}21483080C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000048762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.466{80A11F3A-BC96-6124-7E09-00000000F001}6972win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x800000000000000048761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.163{80A11F3A-A00D-6124-2D00-00000000F001}21483080C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000048760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.099{00000000-0000-0000-0000-000000000000}4508win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;<unknown process> 354300x800000000000000048759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:04.842{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61675-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000048802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.986{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9080AF6A34B8B5E9BE1154BD98F910,SHA256=6880EF9EE0ECC8C89A5927739A4D9905ADE45B8C25D73FCDA8A39A4D5BD8C723,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:06.884{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.200{D371C250-BC99-6124-DB06-00000000F101}3492824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02461CBC331006C3111DC0698C122B19,SHA256=AA7839AF783495EEFD0D6EE707153FCBEEFBCCE683A470229B203F2F497E8BBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC99-6124-DB06-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA14EEBE52E495FE309E8304EB735A2,SHA256=545A121701FE774D06593E6E880857EC1AD66F231CE638CE5E8114766B18AC96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BC99-6124-DB06-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC99-6124-DB06-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.015{D371C250-BC99-6124-DB06-00000000F101}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:09.013{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3C1239BC63A04B99CD5AD34AE6E462E,SHA256=BA4986BDF4F4E1C7C49A2ABBDAADC5514C55867455C561A4AC62EB3A9017A803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.598{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.598{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.565{80A11F3A-9FFB-6124-0B00-00000000F001}632848C:\Windows\system32\lsass.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.564{80A11F3A-9FFB-6124-0B00-00000000F001}632848C:\Windows\system32\lsass.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000048797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:32:09.545{80A11F3A-BC99-6124-8209-00000000F001}3396\PSHost.132742711294680512.3396.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000048796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.529{80A11F3A-BC99-6124-8209-00000000F001}3396ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_b0obguqz.mup.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.529{80A11F3A-BC99-6124-8209-00000000F001}3396ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3fjdwxxx.gor.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000048794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.514{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3fjdwxxx.gor.ps12021-08-24 09:32:09.514 10341000x800000000000000048793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.499{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.467{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.467{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.467{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.467{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.467{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.467{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.467{80A11F3A-BC99-6124-8109-00000000F001}63962616C:\Windows\system32\cmd.exe{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.468{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-ADUser -Filter *C:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-BC99-6124-8109-00000000F001}6396C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-ADUser -Filter * 10341000x800000000000000048784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.464{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC99-6124-8109-00000000F001}6396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.462{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.462{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.462{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.462{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.462{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BC99-6124-8109-00000000F001}6396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.461{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC99-6124-8109-00000000F001}6396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.461{80A11F3A-BC99-6124-8109-00000000F001}6396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-ADUser -Filter *C:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000048776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.430{80A11F3A-BC96-6124-8009-00000000F001}6424ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000048775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:05.401{80A11F3A-BC96-6124-7E09-00000000F001}6972win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\system32\wbem\wmiprvse.exe 10341000x800000000000000048774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:09.183{80A11F3A-A00D-6124-2D00-00000000F001}21483080C:\Windows\sysmon64.exe{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.174{D371C250-BC9A-6124-DC06-00000000F101}40204052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027661Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.049{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02461CBC331006C3111DC0698C122B19,SHA256=AA7839AF783495EEFD0D6EE707153FCBEEFBCCE683A470229B203F2F497E8BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.033{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D0B30E1D0B657ECCFE0CE151CAAFEE,SHA256=0B0DA3B1BDC10DE7609CB92C2AC491F5610C52B5A5237C088EBD9C21771C4FCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.033{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC9A-6124-DC06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BC9A-6124-DC06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.028{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC9A-6124-DC06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000048841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:07.001{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61677-false10.0.1.12-8000- 23542300x800000000000000048840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D479D12D9146EBA94E24D814337860D1,SHA256=4F3522D7AABC68D27819DE065648D40A640369FE3E3B1E0329014B1A6179F6AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E0C2B177336B1AE05184F11D099D2AB7,SHA256=1E4C0704667D5CB41154AF99627AA5EB8DA313342B483A7623CB22F4F689E5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=2B60184AEE43814C24AA541A81764DA5,SHA256=8BD5C624D62686DAA55A60111E40EABFE6EFD2500A1A20728DAC17F65CAB6AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1FA8F80CF6B19DC79C012C13CF90E261,SHA256=6C02937F3517A48FFEC1D7EBB12EDEFB02D53E9BFB5E2C6E3AB052C0B3857D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=0D4268567EC76E899C25F737EBB71FE4,SHA256=443A0C5FF85D7F092841F1626FFFD04A1CE3E53815A2D4ED36B93C8527F98C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=754F81E5BDF940A50DC15ABFF5BBDB78,SHA256=76A53861B1B10313D93FA82F6F53CDFB7A02EDAAA7509F8F26DD11B7B936C5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=3D092F7233732E37A889ED794909B3DA,SHA256=FD0BD76215F6A4EE623742296DB0B7F7104FD03E4F41FE9BFDBFFE768B9C3402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.917{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=12F76B9048BEA34A40C6EBA4B22A4959,SHA256=BD384B9466FB7022B1695759ACD71AD8DF59852C533D86312AF9261B12B6CD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.801{80A11F3A-BC9A-6124-8409-00000000F001}2752ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.655{80A11F3A-9FFD-6124-1600-00000000F001}12966872C:\Windows\system32\svchost.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.655{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.617{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.617{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000048827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:32:10.586{80A11F3A-BC9A-6124-8409-00000000F001}2752\PSHost.132742711304897517.2752.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000048826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.570{80A11F3A-BC9A-6124-8409-00000000F001}2752ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_otzpydd1.mlv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.570{80A11F3A-BC9A-6124-8409-00000000F001}2752ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ysusi0v1.tl5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000048824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.555{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ysusi0v1.tl5.ps12021-08-24 09:32:10.555 10341000x800000000000000048823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.539{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-BC9A-6124-8309-00000000F001}42725164C:\Windows\system32\cmd.exe{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.489{80A11F3A-BC9A-6124-8409-00000000F001}2752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-DomainUserC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-BC9A-6124-8309-00000000F001}4272C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-DomainUser 10341000x800000000000000048814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.486{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BC9A-6124-8309-00000000F001}4272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.470{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.470{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.470{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.470{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.470{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BC9A-6124-8309-00000000F001}4272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.470{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BC9A-6124-8309-00000000F001}4272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.483{80A11F3A-BC9A-6124-8309-00000000F001}4272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-DomainUserC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000048806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.470{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE425E14FE9C7C08CA4E6B425B4A9E83,SHA256=DD55861737E57A6D6B109DD61121259E19B98B824DA20BE78CBC341FAB755C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.455{80A11F3A-BC99-6124-8209-00000000F001}3396ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.417{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=88B2B97F1AEE10248B78688D515728D0,SHA256=B339186B35971C8C745B69CFBFE289273130CEF7D89088DDB65EB4661722DB29,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000048803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:10.086{80A11F3A-BC99-6124-8209-00000000F001}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 154100x800000000000000027647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:10.029{D371C250-BC9A-6124-DC06-00000000F101}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC9B-6124-DE06-00000000F101}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BC9B-6124-DE06-00000000F101}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.861{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC9B-6124-DE06-00000000F101}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.862{D371C250-BC9B-6124-DE06-00000000F101}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.330{D371C250-BC9B-6124-DD06-00000000F101}37283316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC9B-6124-DD06-00000000F101}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BC9B-6124-DD06-00000000F101}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.205{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC9B-6124-DD06-00000000F101}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.206{D371C250-BC9B-6124-DD06-00000000F101}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:11.033{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0E1E4DDE310C078E02AF4B0F2AD886,SHA256=8F338A91B06FACF368BC110A47A3CED4543791D4D9C2A8C5BFE34FC8CE3F3CFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.246{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61682-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000048851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.246{00000000-0000-0000-0000-000000000000}3396<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61682-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x800000000000000048850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:11.485{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F4ED2AFF49D5111700AACCA0D4A916,SHA256=5EDC0E50A5516AECEE3E85CED19851546B8C8FF5853B23519328C45CD3B465C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:11.454{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4BC92F033D97688BE9C4667544E2D02C,SHA256=FB192CF37C078D26DF4C55087EDE0CB369ABBB6AA976A0486C269A373C4CD468,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.169{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61681-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.169{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61681-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.110{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61680-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000048845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.032{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61679-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.031{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61679-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.024{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61678-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x800000000000000048842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:11.134{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BD522C61BF53096B0B58856BD92488,SHA256=8B5246BFF2259E01D1D89111DFF53DA12922A26CB0418ABE62D1087BDBF412D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BC9C-6124-DF06-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BC9C-6124-DF06-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BC9C-6124-DF06-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.442{D371C250-BC9C-6124-DF06-00000000F101}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5561FDBBC6C1469D9924320C2AAA41E,SHA256=8055B5271DE64747E1F1504AE60314AD084B0A86BF600B8AD3622FCCD9AB33F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.439{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A845A81236AB86967DAA9203BC7B99,SHA256=49FB0C6DBBDCE4FEA7D7A8ED315035B8F466FCF22C83AC3E14F11170A52B1882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:12.153{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B86884FED10E11772BB9D2AC4BD6152,SHA256=9EE98E6C9AD458DDC4241E1A9B7E29C3904D55840CE3E4F96422B1226F7F28A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.018{D371C250-BC9B-6124-DE06-00000000F101}36404004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000048855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.024{00000000-0000-0000-0000-000000000000}3396win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;<unknown process> 354300x800000000000000048854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.110{00000000-0000-0000-0000-000000000000}3396<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61680-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000048853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:08.024{00000000-0000-0000-0000-000000000000}3396<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61678-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 23542300x800000000000000027708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:13.439{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0356324773FB837B843DD0C60D124E9,SHA256=735734A6D7A57AA17BA85A089EF7AAAC71AAD0CD0F27A5823E7C32DA8632BA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:13.439{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FE6D0146EBFD1CB6871F3D48C4007CA,SHA256=8DF47BB1AE1BA06EA042D6A300D61EA591768FE40C01AEB4B244D189982D9BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:13.168{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9EBEC0AD320FB3FAD5FFD025F4954C,SHA256=B3FA6FADDE1CD5EC5B4A246453EFD9882F6EDE96C43C500FA0D0858CA9A568B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:14.643{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B358BE73A8611AD66B87248307844B1C,SHA256=FFC0FC0EB6119AEEF9A6519191BB0693E2167C516C6CBB9CE67437A17A96D185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:14.215{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9529865FA944DB1F43AE3C98D92F1C33,SHA256=C94BEE9400601B82A3377D7BF5D1755DB1ED17529C1EFDCE116E7303E430011C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:12.764{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:15.643{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF3C334724CCBAC07C3DBFB860B440,SHA256=E632DE430376B80009885EDE415914880149170E745402DDFB1B94A41EE3B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:15.231{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C26395892C99974A408408F8093258B,SHA256=9882A685C4BDB82F60EEADCF191AE1FBC913611097B7256263B9194762CEBBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:16.721{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAF50A44D33ED297A1A35EADD37DE4F,SHA256=34048AD7CE26AFD44AD4705C1F452F2B88329703F186897401DBA5B7EFC8B5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:16.251{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EF6C3CFD1E30FC92DAC0D641363011,SHA256=7C958C6EE13FCF39DF29DFA5A7D4E42D15F309C140BA8739E126DFDCD5BA3269,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:12.067{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61683-false10.0.1.12-8000- 354300x800000000000000048860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:11.867{80A11F3A-9FFD-6124-1100-00000000F001}484C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000027713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:17.721{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAECBF765D2EE4C97F0E65D1F1DE65A,SHA256=B063AD9418F1B14580B7B6E81732B7BCB5245478BB4A7E09623EE7AA31DEEAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:17.265{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E389186E5A87F30F72BDBD3224083A0,SHA256=B805E2FAD01F2F8EE693F73CA723B79DC5DD99223CA4101554911DF2A1C144CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:18.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F32F70CD9914D1A5711175A632A151A,SHA256=A5E4CD23F06532A49F764B7FD09B2E65AC3F16B5CD1EE1272131A773D6FEA383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:18.280{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E69362731C029407C1FFEBCC70059F,SHA256=FB3F85A40002AC5C40C000EC9DA3B1AD524EBA3D868EA2A2D6058F0B28ED7F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:19.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1320E2EEB46B3C4BC36DE99F44DB1B8,SHA256=F88D7163876AD5EC9D7D6DFFCA7F95C7A2095691C52B34886F031BB32FBA7C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:19.310{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E87911FA2A1EB0A6473B40A8B3E6FA7,SHA256=40C23FBEE678F8E9F56E502209B0A80E5566B7928FADE0D966080F79BC1BFFA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:17.811{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:20.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5204A627CB50ECBB278CDBD088A86D9,SHA256=16B5A5A40BDC9109781188E7EF008C8061F17BED85E622AA940BF587E4EBD808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:20.314{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3DC4F2D1DCEC4479CDA0AADD27A81B,SHA256=735967A30DCB16FF18F3B8A86EAE551667F8C3A8687BFB6C2A22AD80DACA45E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:21.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA5E0CD8D5CE754F4175C50399079AD,SHA256=49F460580FC8614C0C7765951441D3B1E8F1E19B42AE6417CF3743C35B15FBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:21.315{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5476FCC9A3FAE5AEEE58FD29026393,SHA256=EDAC5E7EC620978F7695E56DC233DBA879F1F0A55A58AE9D1E0C86350DD070F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:22.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F062D0E3DE1A28589056484F0BC40FB0,SHA256=DA82492117657FEEEC68AF749ED7E3133175BC64973F454D3347F6ADC8572054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:22.316{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B5C778D1BDD471E6F7342E959D3197,SHA256=B19922947DEA01E59FEEFD96A1207B174487F0D2ECCA37D939F4077452CDC420,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:17.100{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61684-false10.0.1.12-8000- 23542300x800000000000000027720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:23.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33C8A6C8AD8C0A5CC5B79870D649A0B,SHA256=E732F7061897FA5BFBDC8DBBFFBF98D7449CC9073122E1D4E680E302828AFDB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:23.317{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBBCB2D300D6C65A9357B4A0574C42E,SHA256=8E8575A5FE74CB348AF9D859528C9E051F03401EF4C72B8AA4451BE9FD31777A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:24.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15917FFA89E4DAD763D7F1B1C3B4B9F,SHA256=9B0F3FDC38B9E7802DC6F5A2394D3D9451267583693CB4C64D557D729F9F890A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:24.333{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEF3A5C23549BEE8824B25932ECB3F7,SHA256=9C9BF12E4A7A875BBE387780930A986990541F3984374A29FB5ACE77443F5DC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:22.827{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:25.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03254ACEB0224840059D6D3EDF60A250,SHA256=A9E738F09B32450AC3012A06441D0ED25B77B50C0E0D73A686084B7C33A255AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.614{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCA9-6124-8509-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.614{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.614{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.614{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.614{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.614{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BCA9-6124-8509-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.614{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCA9-6124-8509-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.615{80A11F3A-BCA9-6124-8509-00000000F001}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:25.352{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4247A10D520A0F745922A28D58AF6F7,SHA256=DCDC47F018B50A792411BE7F7712049994AB184F801EA3C2F3F2FE8D45381348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:26.736{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251D9CD0BC7CED42DF675B46EFD1D7E5,SHA256=FCDCB23E617D661AFECA1D3C484144EB8131C13F8269D7550915B4765CC865FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.983{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCAA-6124-8709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.983{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.983{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BCAA-6124-8709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.983{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCAA-6124-8709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.984{80A11F3A-BCAA-6124-8709-00000000F001}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.939{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-118MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.633{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6511C5E3F9793E1115EEB8814E8130,SHA256=9A317B11F61D6C2A2821F965EFF13357DA745D39F88DEE3C6849AED81C947D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.632{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=775740E5940654D07C6EE56130BC2CC3,SHA256=0927E1D1595A69FBAC359F6205044F55BEB4AD7DC8FD819E9CD10688B686FF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.383{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1726A5FDE00D1916F534E6AAA880EAC,SHA256=D2F0D78D9B403BA04BFD46291CC8A0E2FF97EFF113C0211B627CAAC120087D42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCAA-6124-8609-00000000F001}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BCAA-6124-8609-00000000F001}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCAA-6124-8609-00000000F001}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:26.299{80A11F3A-BCAA-6124-8609-00000000F001}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000048881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:22.137{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61685-false10.0.1.12-8000- 23542300x800000000000000027725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:27.752{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8B1CB095D74A0259E964A98874AC33,SHA256=6B953F9E4FBBAC58482B9293B631F8995905F32274AFDD522A0E82CA1FC4BCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.938{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.805{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCAB-6124-8809-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.805{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BCAB-6124-8809-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.805{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCAB-6124-8809-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.806{80A11F3A-BCAB-6124-8809-00000000F001}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.405{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62497C8D919BF064F27705F08566A97F,SHA256=3A3F2F7A58B2A38803BC1AC998AFE1A8C58EF5BAC16535FE39AFFDE4FE300AD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.142{80A11F3A-BCAA-6124-8709-00000000F001}35726412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:28.752{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E992BB636150BC3EAF8882203757768,SHA256=8A8E99F9844E91711A54A2E99F3640E65CD6EFC8F0D314AA3C87DDBE505BB652,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.675{80A11F3A-BCAC-6124-8909-00000000F001}48844676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.478{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCAC-6124-8909-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.478{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.478{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.478{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.478{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BCAC-6124-8909-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.478{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.478{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCAC-6124-8909-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.479{80A11F3A-BCAC-6124-8909-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.422{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE0B287DFAEE66B5F9DA4EE8FAF0032,SHA256=8036D03971FC61E623799407D71DDB7A1D395DA25DD5BCFCEAF60900A4D09EF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.022{80A11F3A-BCAB-6124-8809-00000000F001}69883968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.006{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6511C5E3F9793E1115EEB8814E8130,SHA256=9A317B11F61D6C2A2821F965EFF13357DA745D39F88DEE3C6849AED81C947D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:29.752{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B485DA068357CCC7908BD19878603,SHA256=A00A89250B4AD367669DF8DD55C4C009DA6487ED1D4A19EB11A6354393E9ECD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.789{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCAD-6124-8B09-00000000F001}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.789{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.789{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.789{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.789{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.789{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BCAD-6124-8B09-00000000F001}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.789{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCAD-6124-8B09-00000000F001}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.791{80A11F3A-BCAD-6124-8B09-00000000F001}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.505{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=082D0A874319BA98B47CD2CC8BA4BA91,SHA256=654651542AF7440D5FF02ACF6A34EFBA8F0F2F3AC749846AE8C8B2307ECA1111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.443{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C54F229E8C589012C17A0584E99F6F7,SHA256=172B564C9100A85D61AAEC14456F7468229BA78A0FDBBE722B1B779A13611724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.343{80A11F3A-BCAD-6124-8A09-00000000F001}53041016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.158{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCAD-6124-8A09-00000000F001}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.158{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.158{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.158{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.158{80A11F3A-9FFC-6124-0C00-00000000F001}8526400C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.158{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BCAD-6124-8A09-00000000F001}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000048926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.158{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCAD-6124-8A09-00000000F001}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:29.159{80A11F3A-BCAD-6124-8A09-00000000F001}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:30.799{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF1EAFC6D73E40592C777F6E3F9BD6E,SHA256=3E9D403C3B0F2302D89E26C91D7C8D7F048B062CED1CAA0D5EDE528ECC808B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:30.821{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9614B4FEDA3358194931658131AF6990,SHA256=A8144AD944C591B28FB889E4E65D20FD2E907A6FC86AB1AA030BA66A32CDEA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:30.458{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0757CE73EC97FFDE88D139623B0CA61D,SHA256=F8172F13FE0B03AAF56AF9182B4CA91F9AF43E7BCF8A1B297E793927B49D69F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:28.671{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:31.473{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D15C3A2E4DDCBE99B8BCA6E0355C8BE,SHA256=A81F0A20DB25E7F2BC9EFA00FD33C1585A16DC4A9DB9CFBB0B61A557B63745CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:27.173{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61686-false10.0.1.12-8000- 23542300x800000000000000027731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:32.986{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:32.033{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BD788C6DA1C5F5FA8D22CFE646D3B9,SHA256=2367B4A602A03ECF1F22CC3622E006865AEE609986F6D09D477D58CCE402AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:32.488{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C61685551F518E28F6B18FD425899F4,SHA256=62C8B177F54EDCD1789F410084A4F829C9389534AD94834DCE7FFDB8DF4CE8D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.283{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-391.attackrange.local61687-false93.184.221.240-80http 354300x800000000000000048948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:28.280{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54609- 23542300x800000000000000027732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:33.252{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB491FA4FF2E5D9902B4DF7583A055D,SHA256=AD99EBF0DCD7E7E12068D9E56E7D822F8C2188901D5197F96B201141CEB31E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:33.503{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56B2053D949D20CA2D325F8120E1398,SHA256=1562E96657B524343BBCA37DFDCFFB08B994DF2CA52687B2B270E704FAFE707A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:32.593{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:34.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C0CA13E7DCCD8F20E6A5F01314908B,SHA256=9F03866EC70CFA1735887542C1F5EBCA8E938D29132567BCD8B9D50EFEBB6957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:34.555{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE9A9B6E70C78E81D452A502B3170DD,SHA256=75BCD889EF30B74FDCA31969E21C1D3970E637EEFCCE5798B65016AA34C06E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:35.518{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3657BB4FB885AD6AFC2A9C736C0EF8C4,SHA256=F89EB0DB4A2A09155100A80067EEA77BF905795750D34E8C800C187F55C38FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:35.586{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E3729BB199681441AE4F4854861D19,SHA256=1D017310D8D1F115976D8F9DB9DE2C8C17331E97EF0D72792D147ECCCD9D6746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:36.611{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0668A9B0E22328BC9A702514A078A5A8,SHA256=DB63864A99FC7C7CC5BA0BF210E7FFD87328130FD82DC78ACD2FF4A4253EEEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:36.601{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFB1FE037E5CD574D21707ABAD8F8AA,SHA256=0603F85920CA8A2797B3F1727B081706601357E677AD044DF109243393F8845F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:33.686{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:37.783{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D424A9628E2E7F28510045EAEB7510,SHA256=8D256B1EC6F8BB06A0C0214753F458B0DA50324111F025D473B810BDFD282D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:37.616{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432DB51AE2CFB2D2A45E0A3CA9A2BED3,SHA256=321058E660A0418EE1E8439C9B50FFC07E3C9E894295C8E49C6A75608ADEA452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:33.091{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61688-false10.0.1.12-8000- 23542300x800000000000000027739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:38.783{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BB086335DE1F3CA07DF493E90C4E9C,SHA256=4DFDC6AA1D356EBD59519A79DE50F72467CE0808A13A2AAACECD0DA20EC66DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:38.753{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3A47CA24726C1C5EC5E53B80BD4DEA,SHA256=E483D8EB9EBCB04548EDBE1D7D404E06113E8A32E2F2BA565D3DC648FC4EAE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:38.753{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CAF038373437745BD73B1AE1CA1EDA7,SHA256=7E5B0C474B429120E576BCBDE34AE8AFF96AEABF2870ACDFBFC69CD23EE84323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:38.653{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF85D66D997FE2BAA3D2AD7FA69653D3,SHA256=658AA6DBFB0832D856A9A6732EE18843E1B7AEF1A51DF843479D775B59FE2BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:39.783{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5332E78B69688F68A352ABBD2E6941,SHA256=A05778186C1D93C1F6A5F3464B39FAF78CF183B3FE9599922A47B9AFF03DB658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:39.653{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AD27DD4DCFF06CC1E51135599E7D3B,SHA256=03DBA6BE57DBCE3C0FD587871E44339995096B6D0F605E23C88CE434CD872DCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:35.668{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61689-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000048960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:35.668{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61689-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000048965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:40.683{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EFB984765A2ACB457E5A095E454037,SHA256=63AB0C638C670802E79348853E84EDD07C64EDE268C58F6F7E86AE185F018284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:40.783{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670898D72ECF914B87F8001EC5DA63A7,SHA256=054584D425702617E2C86278CBA862A4D90F14CC2C382D4F85EF7A9CC46C04D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:36.524{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-391.attackrange.local138netbios-dgm 354300x800000000000000048963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:36.524{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-391.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000027742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:41.783{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB8E230B6B26827D534E5FD5EC6668C,SHA256=2F227170309CCB421606F88207F0B6547292D4EEDA98F74108EF7143D1A35424,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.767{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.767{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.767{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.735{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.735{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.735{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000048968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.735{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:41.698{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F26E6195B49C290B0CB46A27D274ADE,SHA256=65FC7D6377F27F11477AEC1A631370B9F92002BF720B8412ECF1EA615F0BE01C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:38.189{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61690-false10.0.1.12-8000- 23542300x800000000000000027744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:42.784{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE97A781A6F3F31E645BCAC9C0BEF575,SHA256=DCA187098AEF97E461F9299C65580E37726554124EB1DD8BD68B515ADC375608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:42.713{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7894C55975EF53311426260320D2F0E4,SHA256=0A32EC5521331A38351938B10BC0BFEF9AFCED863A3F9712F4AE6D79E0555070,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:39.702{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:43.800{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A93BC55940516D760A2907EE165E5D,SHA256=339EE4520C461C7BADD3F1A435701721C25F788F67E7DE2FAD855E6B8B4A598A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:43.730{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C272F837B86EE7AC2452E187F38BF3,SHA256=DA1A4C14EF66766FA8674A6913CCDB2E0E966C1C825DF4CCBCC740F0CC1C77F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:43.146{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-111MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:44.733{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8188D96590661FD6083C999227EFB16B,SHA256=7F3AC472D9CA74246ED8CD4512139ECF6BC24B1A89CD049B56BBB24B189F19E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:44.800{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B30CC3CAE9AA985FB9138402C6B2EA,SHA256=1B4CD2996C887259D4671F803FEDA40A8017554213014364FB8FF352B71AE7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:44.160{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:45.800{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DB3A11654BA54EB1B1F92712F54EB6,SHA256=9FA092AF1A391674CAE87CAA0093BB071EE3600BC5CA79329C7520912D4AF11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:45.752{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2988F2D01A52079C0760199D9A11D9D8,SHA256=F91696BEED56C1ED8668474533ACA3C678C2C8FBC7EF5A6CAFB5C3DB2BD9662D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:46.800{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72568307A4180972B3CB3D10BF765A7,SHA256=27E58C41F824F6837873B3A052C72928C37B2DDF1A43EA620B716833A272C3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:46.768{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3FB1EC39008DA7B6C279026F07A45F,SHA256=A981E967A083822E2CFD4F2C803970108562C085F6D19CCE56B4971820AD7B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:47.800{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876F1AECBFFA7D4760A4BBCB2C23D5DD,SHA256=D129892CA34D9583E1602719F6B4CB7B4AA86AEA9CC1047C4B8EA3D4FAACF347,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:44.151{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61691-false10.0.1.12-8000- 23542300x800000000000000048981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:47.782{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C12AA4018971E1034A5BB06C77AEAA9,SHA256=4A5C1DA6028B32F1DDEBD4B5BB1F4E804A99A034A4C060F9701E25491B6C3D3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:44.782{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000048980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:47.267{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=14824C2A8308D05FCD9F090057079209,SHA256=EF89A674ABD47B196E4B6A24C8CE8E914E7C342615F0D4652339B6904C9582E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:48.788{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B64F9DE992BF199E06251EB811BCAA,SHA256=0BA905FCFC39134898B4F6C69BD4B3819F3C41B2454574A4804F6A0FFD593D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:48.800{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1E09AE89D353E71C5E96A5ACB7220F,SHA256=D980DBEDCA7A74298B13E5EB66568139B456178D708E35FDA013233073F05871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:49.788{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EC819C43AE85BED35F23E887EA6D58,SHA256=24D23C2E29F2CB5103FF9119CA4D7DCC74080FC099087FA2C0177800AB1FBAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:49.800{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504CB1E6DD50AADED5EEE70D4476F659,SHA256=5F44F4803D5675B3616FA3B470CDE1AADA0E387FC55E6AA44F54B043D1F0C71D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:46.731{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local57601- 354300x800000000000000048987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:46.730{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-391.attackrange.local53domainfalse10.0.1.14win-dc-391.attackrange.local53562- 354300x800000000000000048986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:46.727{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local65535- 23542300x800000000000000048985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:50.803{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B1DB5C3452D780875B87180D04B921,SHA256=05555A5ED0F7FC5609BEC9EAF610D2A743158085C63D7E1261A7C0F43FC007E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:50.860{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0EED9188C70D62E7A17829A22149C1D2,SHA256=9BE067A8578036E1876247D6ECD1E7005F2089E4F7025C8A62561FA045B23135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:50.813{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA40484AE314AB704FE7BACAD6F93928,SHA256=B26BCA78727DF5B92F662669599DD3EA2DF4F74C670C90E85BE3EC1E2C4E3E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027757Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:51.813{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4437E569C631ABE8615FA8905C705E22,SHA256=90B104BFF2B35C90B83A8B48568EEF928C96F9CC80F7BA61EEF0A7138676BB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:51.871{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB06BCCCC45D60F71B0BC99549E4A1D9,SHA256=B39B19EA66A73923CCF81CDC071988C2CAC047633A4A8AE864128EB07D713427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:51.303{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:49.224{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61693-false10.0.1.12-8089- 354300x800000000000000048992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:49.192{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61692-false10.0.1.12-8000- 23542300x800000000000000048991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:52.886{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E82FFFA83C1734385DE8E74B262F86E,SHA256=B93DE15EE7AC167D04A9E85543ED0122E42129FF6965ADB614341DE58BDA5187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:53.916{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC85703052B7A1EA299F238CE8620E3B,SHA256=29E57868BF08FB9AC141489F390F99EC6CFF93697CE589D916A6F2F27AD85D6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027759Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:50.686{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027758Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:53.033{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E8E3DED03FF2611BF670B1109A89DE,SHA256=FDAACA8FAB91AF470ABF98DB2BB4CC1A0F1312E05782472184EA4FD969A6EE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:54.919{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DAE550A6439D159850417AD65696CE,SHA256=8772930C57DB093EB3AD0CAD035CAA59F6E2DD27035EA12AD2B4176D5B5C0AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027760Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:54.065{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D069925869EDEDD375BD840196E5EA1,SHA256=FD2048BDF834D986FBB1F62B35FEE82C2714A576C49AC5AE7442C9BCC329882F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:54.269{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad1.bat@2021-08-24_093247MD5=02661C12ACA42C69850FE91CD7E03406,SHA256=719AFCE6AAA76A0A0D5D6C2718459D8B7C2A87D5039C74A56C67FE05C06DA501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:55.920{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFEC83C9D5C1BEDE164B7AE2B9F1622,SHA256=9555DB8B289D2200CBC12F3F27C6493B6FE56D34667C1FAA2A6CDB0F742E4A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027761Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:55.283{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEAE3E0896F4C7CA0B1F5DCF6FBBC1F,SHA256=96D2CB870A3B61C18BE1731CCA17ACE7C61B964B63C6AF5A97FA1547638E7BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:56.938{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB33604777EDE235C4A4DFF835049D0,SHA256=97FD43FD3155F6A0567CD54A30E89B0332CCB7114DD9DB4887CB5126FFD35CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027762Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:56.377{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D56BE8B6855594FF1AD5DF185C5EE9,SHA256=F3085E47E10D2388F0E7C1A8AAE13321E3BCFA3AA02CA6389B0A99FCDBDF049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:57.956{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDF9DBD75B93DAB5D0D697B471EAA31,SHA256=4C37D483DF2C6E21CC23C99F3D9B421CE553F3BB051CC4AA0436B2F9A9A71583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:57.643{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8A5E0EF109240C8C4C0C28F0933B08,SHA256=7DAD1D1464A38850DB9B0FA88B833BDC19DFA575CC11CB7B23DFAE86004EDA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:58.970{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC23247B0AA0D2A40BBA7426C32F7F6,SHA256=13F1814EAB0B501D9DCCFF360D0C7248A5F78C5F52A42137DD7E3A9D6310A657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:58.721{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6380087AD5435D89F24E86D81925F6,SHA256=736B0EE5020F49977BC414721B41509F8B7991C37CDC63D5D12D010776AF0CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:54.975{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61694-false10.0.1.12-8000- 354300x800000000000000027764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:55.718{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:32:59.985{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAC97DA7F0C7F4EA565E0A741DC232F,SHA256=7060490C96E70BC1CA5CC2BF90CF4ECA8B8A8848777615962B9B2513A04810B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:32:59.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACFF78F1DE11E04DA7B8563CBC74D36,SHA256=3E61263EA6438E24B7001A049F52ED8DFE435DFE31F70A2274310E3C08FD2B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:00.988{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA997A2FD026EB040680CABE751CFFA,SHA256=2146A9DD79B5806F7A53A2483BA7D11F9A390952CB326F728CBDE56145C3EC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:00.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A9275AC23AB9CD37FE7A964B4A344D,SHA256=6B7D9D29B68DA62F075F041552644B5C11277782FD42E982DB800C75D0348F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:01.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4094E12E2A7C7B7EF10BAB9FFD0543BA,SHA256=31E8210FDB7CF37245E3DF90E1A29B8BB95A47B2BDDCC1BEAFA4A2A83E74EF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:01.272{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad1.bat@2021-08-24_093247MD5=308FA8381AA965841B5651A74819895C,SHA256=02BC7BC576035326A54B4E54040C4A6937738590B8ED2A4D01CD430741BD9DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:02.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292286E4C6BD988892DC6B04CC4F9BBC,SHA256=7AF28796A8E02E84A580FDEC92B94EE7AF4FAB6E08A174FA238DBE5471BC4171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:02.973{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad1.bat@2021-08-24_093247MD5=0F142F07AF305DBB2DCBAFE3B138923E,SHA256=CBF9744D9DF636561657B748E44A2ADB4110E02D211672CBA82B6FBFD589BA44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:02.973{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.bat2021-08-24 07:50:56.099 23542300x800000000000000049006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:02.973{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.batMD5=7AAEAD3D2409E2BC5AFB8EC85E8DBDAF,SHA256=635BD37BC1CFA5F2B4143718D8E0E3FC46EA0E03C5805918EBA9A070891A581B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:02.018{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0955EE2EF11D92BF40EFE58EA2F93FE5,SHA256=31F39DECEE710A7725433613C1D1B886AA207CEEF9033753EAD7A9E996072C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:03.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C498A4CA59FCFD2F50ECABF1F76880,SHA256=1E6BC2E8611597296CBEE702E812C9F24A26A72E5CE41ED6040D60D192B815DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:01.703{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:00.057{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61695-false10.0.1.12-8000- 23542300x800000000000000049009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:03.019{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80C95CB8B5916F571136463C2BB1452,SHA256=B906AD3CE6EB17D8AF05B7A6CB55F879E88206849D21C3AAF4E876AF4F9C5EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:04.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8BD9EBB7DF9074197A7C027FDED5B1,SHA256=31B1773CE1C09AA11FADCAC387D350A90B003B55234E50F30C9C53E1E13B042A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:04.102{80A11F3A-9FFD-6124-1600-00000000F001}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF70a6ed.TMPMD5=D12542BF8B869601FBCE3619185B42BE,SHA256=A4B1F3513FFE0DD50778291ACF6119501D3E8BF4BC54470EB017A1C27AB9416F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:04.036{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AADBD9A66A5933B6C56AC97BBF6545A,SHA256=28B2B6C6BD34A4EA6B946E5C9CC63B40E45724A8D2648E3B8BE3B2CFC393F6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:05.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D231C037815424998044E4A0532EA49F,SHA256=1D6957A9B029FA6BD5662CC25055DE4526CC60A856D3B54EB7D3FE1180D47669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:05.437{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C3D426EBC8DBF898356A160D89C161DA,SHA256=FC6466C79D401A9D2492556C67539EAEBA585077CF50C320BEE391BFA065D63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:05.436{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B2C536E3D191395AEFE737C069728AAF,SHA256=6972EB6B2FDA9578912F4AB0BA326F62F32011F5BFC5DC35991C59D4328C617A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000049016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:33:05.070{80A11F3A-A44E-6124-D004-00000000F001}4160\UIA_PIPE_4160_00006c4eC:\Windows\Explorer.EXE 23542300x800000000000000049015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:05.055{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF55A2503BD54C366226E42A27A2C91,SHA256=F180D003BC527446A8DD41E729FDBB02BD83B2F1C92B9B5A334AC6B004519C65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:05.039{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.bat2021-08-24 07:50:56.099 23542300x800000000000000049013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:05.039{80A11F3A-A4F9-6124-6306-00000000F001}1648ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad1.batMD5=0F142F07AF305DBB2DCBAFE3B138923E,SHA256=CBF9744D9DF636561657B748E44A2ADB4110E02D211672CBA82B6FBFD589BA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027774Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:06.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4702FEFF23E271935BB3B350E8E0478E,SHA256=820FB7FDB60DDA702D9918406F0D12410EE9DC46154CC9D9C19A92A63E3604E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.501{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.501{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.501{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.501{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.501{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.501{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.501{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.070{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF2A5016CC64F33063CA5821346C521,SHA256=A09AE6899764EC91BB37F21B292E9461A65EE3C248CE1F8B9D3FBF8F25C0B922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027789Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.908{D371C250-BCD3-6124-E006-00000000F101}32522696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027788Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F7A3BEB13D799CE19E452913C24DEF,SHA256=DC8B52E1E6D29C10D90C1860654E83A03FD6184CD1F9FCF58F45EF987140E31D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027787Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BCD3-6124-E006-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027786Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027785Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027784Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027783Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027782Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027781Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027780Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027779Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027778Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027777Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BCD3-6124-E006-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027776Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.752{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BCD3-6124-E006-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027775Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.753{D371C250-BCD3-6124-E006-00000000F101}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.969{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-9309-00000000F001}1572C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.953{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.953{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.953{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.953{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.953{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-9309-00000000F001}1572C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.953{80A11F3A-BCD3-6124-9209-00000000F001}56846776C:\Windows\system32\net.exe{80A11F3A-BCD3-6124-9309-00000000F001}1572C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.966{80A11F3A-BCD3-6124-9309-00000000F001}1572C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 users /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BCD3-6124-9209-00000000F001}5684C:\Windows\System32\net.exenet users /domain 10341000x800000000000000049083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.938{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-9209-00000000F001}5684C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.938{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.938{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.938{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.938{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.938{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-9209-00000000F001}5684C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.938{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD3-6124-9209-00000000F001}5684C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.949{80A11F3A-BCD3-6124-9209-00000000F001}5684C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet users /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000049075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-9109-00000000F001}5140C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-9109-00000000F001}5140C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-BCD3-6124-9009-00000000F001}58725556C:\Windows\system32\net.exe{80A11F3A-BCD3-6124-9109-00000000F001}5140C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.926{80A11F3A-BCD3-6124-9109-00000000F001}5140C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BCD3-6124-9009-00000000F001}5872C:\Windows\System32\net.exenet user /do 10341000x800000000000000049067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.916{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-9009-00000000F001}5872C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.900{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.900{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.900{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.900{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.900{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-9009-00000000F001}5872C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.900{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD3-6124-9009-00000000F001}5872C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.914{80A11F3A-BCD3-6124-9009-00000000F001}5872C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000049059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-8F09-00000000F001}1944C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-8F09-00000000F001}1944C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-BCD3-6124-8E09-00000000F001}9604108C:\Windows\system32\net.exe{80A11F3A-BCD3-6124-8F09-00000000F001}1944C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.881{80A11F3A-BCD3-6124-8F09-00000000F001}1944C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 user /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BCD3-6124-8E09-00000000F001}960C:\Windows\System32\net.exenet user /domain 10341000x800000000000000049051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-8E09-00000000F001}960C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-8E09-00000000F001}960C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.869{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD3-6124-8E09-00000000F001}960C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.870{80A11F3A-BCD3-6124-8E09-00000000F001}960C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet user /domainC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000049043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.837{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-8D09-00000000F001}6584C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.837{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.837{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.837{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.837{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.837{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-8D09-00000000F001}6584C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.837{80A11F3A-BCD3-6124-8C09-00000000F001}71325500C:\Windows\system32\net.exe{80A11F3A-BCD3-6124-8D09-00000000F001}6584C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.843{80A11F3A-BCD3-6124-8D09-00000000F001}6584C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{80A11F3A-BCD3-6124-8C09-00000000F001}7132C:\Windows\System32\net.exenet user /do 10341000x800000000000000049035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.815{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD3-6124-8C09-00000000F001}7132C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.815{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.815{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.815{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.815{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.815{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD3-6124-8C09-00000000F001}7132C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.815{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD3-6124-8C09-00000000F001}7132C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.827{80A11F3A-BCD3-6124-8C09-00000000F001}7132C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet user /doC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000049027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.084{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4202746E95AAB9F912B5CE19FE9344FA,SHA256=FCA615CAAF3D2DFE76803BA8CEE93AA3D1C17308022F85EF847EE551AA2BF7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027805Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696B457F2D12398D9C6CC7FF0A6ADED0,SHA256=82C534C3929FD51E0D43A29962AED0B11AAEFF839934E0505A388F6BAFF76C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.817{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CEBBD957221BAF9320DE18AFA278A16,SHA256=3549A4E68D85C95FA1356D6FDE9BDD46644A06D259F6517538406F59941BA245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.817{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3A47CA24726C1C5EC5E53B80BD4DEA,SHA256=E483D8EB9EBCB04548EDBE1D7D404E06113E8A32E2F2BA565D3DC648FC4EAE6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.516{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.516{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.485{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.485{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000049147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:33:08.454{80A11F3A-BCD4-6124-9709-00000000F001}4984\PSHost.132742711883015950.4984.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000049146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.417{80A11F3A-BCD4-6124-9709-00000000F001}4984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4rdvatm4.wyi.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.417{80A11F3A-BCD4-6124-9709-00000000F001}4984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_k35stvn0.osc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.401{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_k35stvn0.osc.ps12021-08-24 09:33:08.401 23542300x800000000000000049143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.385{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=32203D4BD9AB1287E6566CD7C6F601E4,SHA256=40F1EF88FFDEFB68A20DEDED9562966F850443EEE586799EFD25990C4E88956B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.354{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.333{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3E2984C379B17C7C819C36EDB6A33F,SHA256=75F1D42846659CE1782EF74717D1ABFB9218A57AFE8B8F7A7549F08001891FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21A47B14E2583A3F670EAECF71C9142,SHA256=BC5993A59041D218F5E8F575603309ADEF507F98D263E9653196E34BB534C1E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.300{80A11F3A-BCD4-6124-9609-00000000F001}40206040C:\Windows\system32\cmd.exe{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.301{80A11F3A-BCD4-6124-9709-00000000F001}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe get-wmiobject -class ds_user -namespace root\directory\ldapC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-BCD4-6124-9609-00000000F001}4020C:\Windows\System32\cmd.execmd.exe /c powershell.exe get-wmiobject -class ds_user -namespace root\directory\ldap 10341000x800000000000000049131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.269{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD4-6124-9609-00000000F001}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.269{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.269{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD4-6124-9609-00000000F001}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.269{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD4-6124-9609-00000000F001}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.271{80A11F3A-BCD4-6124-9609-00000000F001}4020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe get-wmiobject -class ds_user -namespace root\directory\ldapC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000049123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.200{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.200{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.200{80A11F3A-9FFB-6124-0B00-00000000F001}632680C:\Windows\system32\lsass.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.185{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.169{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.169{80A11F3A-9FFB-6124-0B00-00000000F001}632680C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.169{80A11F3A-9FFB-6124-0B00-00000000F001}632680C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.153{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.153{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.138{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.138{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.138{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.138{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.138{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.138{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.151{80A11F3A-BCD4-6124-9509-00000000F001}4928C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname /VALUEC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000049107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.116{80A11F3A-BCD4-6124-9409-00000000F001}2832ATTACKRANGE\AdministratorC:\Windows\system32\dsquery.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027804Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.768{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591511958B7151F275FAA39AF7B5C213,SHA256=81E04A20898FE7178C2FD6F4ACC427CEF09B7EE7B9FC90CDA0300FA93652BF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027803Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.768{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60D6F2DBE85FFB92D9D5929941B570D,SHA256=DF9BA466A505C2EAB2F9B41C3FADB2407CC7697C19BFA506F674D7EBC3F708E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027802Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BCD4-6124-E106-00000000F101}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027801Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027800Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027799Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027798Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027797Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027796Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027795Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027794Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027793Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027792Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BCD4-6124-E106-00000000F101}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027791Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.424{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BCD4-6124-E106-00000000F101}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027790Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:08.425{D371C250-BCD4-6124-E106-00000000F101}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000049106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.069{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\System32\dsquery.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000049105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.053{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.053{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.038{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.038{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.038{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.038{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.000{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.000{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.000{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.000{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.000{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.000{80A11F3A-A44A-6124-B604-00000000F001}27882324C:\Windows\system32\csrss.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.000{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\system32\dsquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:08.007{80A11F3A-BCD4-6124-9409-00000000F001}2832C:\Windows\System32\dsquery.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft AD DS/LDS query command line utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationdsquery.exedsquery userC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=0F173F934D6FED9B140763559F70DF65,SHA256=3201CC050F642D0B3AD759EDCF57287082200831A258FBC2F17B4C96B53A28A7,IMPHASH=D442E29184F60B794AD2B7508D569FC3{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000027820Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.846{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE59B9388ACF9078F4FA3C1FD5EEA67,SHA256=56B4831A0E46EB442CA27895E0CC50F7DE3E8D822DBC987EF71E911CEDA0D3A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.579{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61700-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.579{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61700-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.148{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61699-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.147{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61699-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.037{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61698-false10.0.1.12-8000- 354300x800000000000000049162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.010{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61697-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.010{00000000-0000-0000-0000-000000000000}2832<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61697-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.000{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61696-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.000{00000000-0000-0000-0000-000000000000}2832<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61696-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 10341000x800000000000000049158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.285{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.285{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.285{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.270{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF94C9686924FCF442259EB0D7C18B6,SHA256=89CF71F1777095EC1D442F4F1EDF1904C257FA35448F45DA3B24F42F8AF41159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.270{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=84F279740D3ADF695292D0468387FB3D,SHA256=A7A0AD056E09E600283DB35F473199DF7777CDE8DCF58BD4C7CC5DBF4769E766,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027819Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:07.718{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027818Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BCD5-6124-E206-00000000F101}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027817Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027816Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027815Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027814Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027813Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027812Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027811Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027810Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027809Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027808Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BCD5-6124-E206-00000000F101}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027807Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.096{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BCD5-6124-E206-00000000F101}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027806Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:09.097{D371C250-BCD5-6124-E206-00000000F101}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027836Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.849{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB5BECA00C14F5230B0A816CE071AAE,SHA256=706DEE9088833723806EFBD5E4C62A31E8FEF9921DB803DDCF38F77942BF5FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:10.271{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B01E82D11703935CABDCE60527D3A0,SHA256=E0A39E63846667166065AC936143F7E0609398CE512C4B907F1EAE767330A08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027835Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.130{D371C250-BCD6-6124-E306-00000000F101}3508380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027834Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.099{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591511958B7151F275FAA39AF7B5C213,SHA256=81E04A20898FE7178C2FD6F4ACC427CEF09B7EE7B9FC90CDA0300FA93652BF94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027833Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BCD6-6124-E306-00000000F101}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027832Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027831Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027830Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027829Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027828Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027827Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027826Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027825Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027824Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027823Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BCD6-6124-E306-00000000F101}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027822Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.002{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BCD6-6124-E306-00000000F101}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027821Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:10.004{D371C250-BCD6-6124-E306-00000000F101}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x800000000000000049169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.150{80A11F3A-BC96-6124-7E09-00000000F001}6972win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\wbem\WmiPrvSE.exe 22542200x800000000000000049168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:06.000{00000000-0000-0000-0000-000000000000}2832win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;<unknown process> 10341000x800000000000000027864Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BCD7-6124-E506-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027863Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027862Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027861Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027860Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027859Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027858Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027857Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027856Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027855Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027854Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BCD7-6124-E506-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027853Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.864{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BCD7-6124-E506-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027852Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.865{D371C250-BCD7-6124-E506-00000000F101}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027851Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.849{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF036023383F7A135F24986108222F0,SHA256=074FD0331602B4A6918EF2FEFC11A30C07CFA1FB8A06E8892997625CD5C5753C,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000049200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.672{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000049199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.532{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.532{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.469{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.469{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000049195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:33:11.437{80A11F3A-BCD7-6124-9909-00000000F001}1016\PSHost.132742711913455037.1016.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000049194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.415{80A11F3A-BCD7-6124-9909-00000000F001}1016ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_lhu1k0qa.ag0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.415{80A11F3A-BCD7-6124-9909-00000000F001}1016ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3wiebaea.xqf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.400{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3wiebaea.xqf.ps12021-08-24 09:33:11.400 10341000x800000000000000049191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.368{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-BCD7-6124-9809-00000000F001}37164640C:\Windows\system32\cmd.exe{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.345{80A11F3A-BCD7-6124-9909-00000000F001}1016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-ADUser -Filter *C:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-BCD7-6124-9809-00000000F001}3716C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-ADUser -Filter * 10341000x800000000000000049182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD7-6124-9809-00000000F001}3716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BCD7-6124-9809-00000000F001}3716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.337{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD7-6124-9809-00000000F001}3716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.338{80A11F3A-BCD7-6124-9809-00000000F001}3716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-ADUser -Filter *C:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000049174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.315{80A11F3A-BCD4-6124-9709-00000000F001}4984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.284{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531CDA5B311ED91AD6E2A9F90D2A4E15,SHA256=E9C4FDA0F89E0EE0CC3C2A1EBF596AF3AB9947FE45E210FFB642D5F605DA0190,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027850Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.364{D371C250-BCD7-6124-E406-00000000F101}2796212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027849Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BCD7-6124-E406-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027848Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027847Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027846Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027845Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027844Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027843Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027842Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027841Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027840Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027839Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BCD7-6124-E406-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027838Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.208{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BCD7-6124-E406-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027837Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:11.209{D371C250-BCD7-6124-E406-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.241{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61701-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:07.241{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61701-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000027880Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213B6488EF1421F75399E712D880A2F4,SHA256=0CEF1833DE72F43E55311A7ED25639FAEB7082DC326C93DEBDE154A8351E0F4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.995{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD8-6124-9C09-00000000F001}2156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.993{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.993{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.993{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.993{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.992{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BCD8-6124-9C09-00000000F001}2156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.992{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD8-6124-9C09-00000000F001}2156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.992{80A11F3A-BCD8-6124-9C09-00000000F001}2156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Get-DomainUserC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000049231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.964{80A11F3A-BCD8-6124-9B09-00000000F001}4804ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.701{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86288A4B66E33D24EB496A5C760C5D5D,SHA256=0D8DD6E0042AFB342B457A08C8EDF9D49929F6641F96224F414BFE2C3D468C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.601{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B391878A4A64A623787091F38B5A7A,SHA256=FA53D45C897CF6793750E1E1FEE02803682D5E2FFA7DF49DA2CB7FC80183DC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.601{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=615F143163AF273F85FF6020E2738E1A,SHA256=12AB9BBEDAC8AB250B3FC3B2388F0F15F6F32132300192BEA85C33DFC2CABF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.601{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CEBBD957221BAF9320DE18AFA278A16,SHA256=3549A4E68D85C95FA1356D6FDE9BDD46644A06D259F6517538406F59941BA245,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027879Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BCD8-6124-E606-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027878Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027877Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027876Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027875Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027874Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027873Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027872Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027871Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027870Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027869Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BCD8-6124-E606-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027868Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.520{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BCD8-6124-E606-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027867Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.521{D371C250-BCD8-6124-E606-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027866Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.411{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ED41F96CC483BCAD6487819C11C8633,SHA256=F048C09BE5CD24883916199199FE9036FCBF19B12340E9CB69BAFA3FA11DCC58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027865Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.020{D371C250-BCD7-6124-E506-00000000F101}18564032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.271{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.271{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.240{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.240{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000049222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:33:12.202{80A11F3A-BCD8-6124-9B09-00000000F001}4804\PSHost.132742711921316701.4804.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000049221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.202{80A11F3A-BCD8-6124-9B09-00000000F001}4804ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_miut1zdj.ees.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.187{80A11F3A-BCD8-6124-9B09-00000000F001}4804ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_grxj00tw.eqy.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.171{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_grxj00tw.eqy.ps12021-08-24 09:33:12.171 10341000x800000000000000049218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.155{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.136{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-BCD8-6124-9A09-00000000F001}43365100C:\Windows\system32\cmd.exe{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.131{80A11F3A-BCD8-6124-9B09-00000000F001}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Import-Module "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1"C:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-BCD8-6124-9A09-00000000F001}4336C:\Windows\System32\cmd.execmd.exe /c powershell.exe Import-Module "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1" 10341000x800000000000000049209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD8-6124-9A09-00000000F001}4336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BCD8-6124-9A09-00000000F001}4336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.118{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCD8-6124-9A09-00000000F001}4336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.125{80A11F3A-BCD8-6124-9A09-00000000F001}4336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c powershell.exe Import-Module "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1"C:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000049201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:12.056{80A11F3A-BCD7-6124-9909-00000000F001}1016ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.995{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB7B0E9295B2565BA49A01DEF8A4E127,SHA256=9F81F8688D689A56019DDCB50A4DA9D77D7EF4428AD040DEAB7DBBA98F8229AA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000049267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.602{00000000-0000-0000-0000-000000000000}1016win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;<unknown process> 23542300x800000000000000049266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.633{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC9C3E321C4E80EA66216302CDEBE48,SHA256=C7FCDA0112ACB148703EF0408B7FCA3CA46E58AF549AC4CFAFCDE61B82E51ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027881Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:13.521{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F7B31264B4BE4179AA6497E368816E,SHA256=C4FACCBB2B9D7AA9FDA14CA1E1AD20A828F362C0F27F6B3F7DD841E48D0399A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.479{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4BEEE4AAA477450A80D0073D8B8A7190,SHA256=796C9B054C88F9A2459BA37F437EA31173E628E229DED798058139ADA5E8E3BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.348{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A53368D91CA62B3A707D0819EF968EF,SHA256=2077A0495E8A9F8F0B3260473DC02330286CD744D92CD9DD617AE467EAD320F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.295{80A11F3A-BCD9-6124-9D09-00000000F001}2536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.844{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61704-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.844{00000000-0000-0000-0000-000000000000}1016<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61704-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.714{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61703-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.714{00000000-0000-0000-0000-000000000000}1016<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61703-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.601{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61702-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:09.601{00000000-0000-0000-0000-000000000000}1016<unknown process>-tcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61702-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 10341000x800000000000000049256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.149{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.149{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.114{80A11F3A-9FFB-6124-0B00-00000000F001}632680C:\Windows\system32\lsass.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.114{80A11F3A-9FFB-6124-0B00-00000000F001}632680C:\Windows\system32\lsass.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000049252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:33:13.080{80A11F3A-BCD9-6124-9D09-00000000F001}2536\PSHost.132742711930030999.2536.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000049251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.064{80A11F3A-BCD9-6124-9D09-00000000F001}2536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_z3kmz4g3.fnf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.064{80A11F3A-BCD9-6124-9D09-00000000F001}2536ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cl3xae1v.nuv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.049{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cl3xae1v.nuv.ps12021-08-24 09:33:13.049 10341000x800000000000000049248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.033{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.006{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.004{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.003{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.003{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.003{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.003{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.003{80A11F3A-BCD8-6124-9C09-00000000F001}21566264C:\Windows\system32\cmd.exe{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:13.003{80A11F3A-BCD9-6124-9D09-00000000F001}2536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Get-DomainUserC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-BCD8-6124-9C09-00000000F001}2156C:\Windows\System32\cmd.execmd.exe /c powershell.exe Get-DomainUser 23542300x800000000000000049269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:14.648{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66D923C0F9839E14986050EBD5F54C3,SHA256=6289703E72D3C17606EE24D809CE2D5B47BBE6FBA38B725B413FAFFFDE49A716,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027883Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:12.768{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027882Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:14.114{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC8488D6E52119F1AD75D110C4989EC,SHA256=88FA71C18EFFB03BD589D23F16326184FA85D721F3721DB49AB31073BD402572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:15.663{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052F6A778FF4321452A19059AD2C29A9,SHA256=A21EBA884F6FE54422459D5197E599D205938BD3011C610B8675CC6FCD279800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027884Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:15.145{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836406FFA423D350EBE1320EA8394872,SHA256=B93F3A5E4D405ECEFACE816DB12FC9B6B49B182CA5D11400C158E083119A4664,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:11.101{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61705-false10.0.1.12-8000- 23542300x800000000000000027885Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:16.364{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3CB7D2D4279564346B6EB829775268,SHA256=4145AC817E90072404CD1D6C9F70D601186F33252C1EF0C4E976F306EF046EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:16.678{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5D736D3F8B6E4A7295B165BA9D43AB,SHA256=B2D488BCDC6777D513501E94F16B473BB8FCEE36CF1F5988C11CC1C420281435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027886Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:17.411{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05534A24A1B3304FCC7C370DE172ADBD,SHA256=17C31D8D359D242D8F0AD2383F20EF9C4C625583CC1755471897F3879ED9F398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:17.693{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C6E4ABE20C95F4CA0D0CC2C9F3A804,SHA256=72F35070DB29CE51115E09C20D87E178DB9901339641F1DCFD178F9F770242F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027887Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:18.411{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A62DABF0D19EF6992593199CA15235E,SHA256=8A49CFC689D460E2C763FAAF7602411563CE980134D11BE9B4DE340DC032FD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:18.710{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096835B2AE33E219E1B23042B7DB1AF4,SHA256=A14022DB87123F42C02109572B8924108F75157DABD8C6B2E67F802CFB85B70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027888Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:19.646{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EA01E0D89BE016C56716BA8F813D63,SHA256=DAD30C8D1B6C60D37764B2A7DDB24E8AEFE7D33C4D834113BF5FC38BDD95CA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:19.730{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1419D3E81D8BC54D708A5A6F7CACD2C,SHA256=5428DA59DE3402F8C6F126251F02F46DC78030136FE37209C4F2FEB868856A1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027890Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:18.690{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027889Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:20.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA4AEF7F4EBF9A12A112958BF522B1D,SHA256=1AB4F3C57D12229F4272147FA376BDD04B1B3A642A1A25E8178BB9951B933B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.745{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E1FF4BC1491A01F6E46BB5983A8A29,SHA256=C6240EB1D264DBF208B4664C963D7017A5CFF7A1CF1FF857A0616C30FBCC2534,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:17.046{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61706-false10.0.1.12-8000- 10341000x800000000000000049292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.245{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.245{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.214{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.214{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000049288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:33:20.192{80A11F3A-BCE0-6124-9E09-00000000F001}6020\PSHost.132742712000928948.6020.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000049287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.161{80A11F3A-BCE0-6124-9E09-00000000F001}6020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3ql5kylf.djw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.161{80A11F3A-BCE0-6124-9E09-00000000F001}6020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l1sizrtc.kce.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.145{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l1sizrtc.kce.ps12021-08-24 09:33:20.145 10341000x800000000000000049284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.130{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:20.092{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000027891Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:21.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2576A73F79383EA75BD96B4C77563DF6,SHA256=97561480D5FC7B6CEDFB28122F97B2245B30A5423DE6AD64A6BD1D21075D380E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:21.775{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6759DED76F566B59482154C835C3DBEE,SHA256=F2D5A4726307B2BBCC2A71B597B9AC835B571274FB3EBE7A725B7552A33EA15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:21.145{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99C15F63F5C4E42636E74EEBAB85F3DD,SHA256=163FB5AE04729C5FF7EBDE0C796290E384BCE8EFA245CF4574CF6870D033819F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:21.111{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EDB9A3D014C11F9069C7AE8C4456196,SHA256=04B4F232D2836A4901F28F0F5997E103E2B8ECB3A9A384361356D03F897C7871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:21.110{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EB263EFC058E62E465BC664032D1C77,SHA256=2E13BB186D67C45DA0E8D487A57A320206D31519494589BCC87E3C89D40A3270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027892Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:22.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF8709DDE14C90A358F0E923735DD9F,SHA256=4B91436CA9A5160535027E84B1F61B6B825727B6264673CA78A6C6D34B217958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:22.790{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223DBE0976E23BA1D48AB46CE967037D,SHA256=AF757D40C374CF7144462FC0F96D61C50F25F670A706F97FF63C6E81C63B220C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027893Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:23.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEADF68B968A404A919740A01651FB9,SHA256=9CE368BC1CB4755DFF7F624C3919E8C775348F904007460E39C1A002EE501BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:23.807{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031E501ACFE2F0FB816BCC83195CFECC,SHA256=DB01D4D2D0267A7F12A4C485D9AAFE2B96F98064EE7801D0E582B6DCEB092275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027894Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:24.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CA97ED832A0760E05CBD186371F7A1,SHA256=0B2888344FD558BD121CCDEF9122354BE99B1CEF3BCF6EF77393B9072CF51DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.826{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADBA73C526973B2786C31534553401C,SHA256=8570E4CA17E44BB6763D0F30D6CBB3E2E262239CA31144C330C341A3544A4AC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.641{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.641{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.641{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.641{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.641{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.641{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:24.641{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027895Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:25.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB56BD7BA077620538ED59A6D7D56EBB,SHA256=7521EE37CBCB2AAFC1270F102D76F80895FF65CF0475D562118FFAAD5E7C006D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.840{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C253F96EE2EF504CE48383328E7B1F53,SHA256=2AB7BFCA31272CCC5F61929E9345EE1854FB7FC8FB032626F5C51498A23D0353,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.625{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCE5-6124-9F09-00000000F001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.625{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.625{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.625{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.625{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.625{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BCE5-6124-9F09-00000000F001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.625{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCE5-6124-9F09-00000000F001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:25.626{80A11F3A-BCE5-6124-9F09-00000000F001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:22.179{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61707-false10.0.1.12-8000- 23542300x800000000000000027897Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:26.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CC009E04642B13FC3A205062033B50,SHA256=1EB239C1BCDBC2A6A39996BDE327D7876BF131432DB9FE8727790AE2D3349DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.908{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCE6-6124-A109-00000000F001}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.907{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.907{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.906{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.906{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.906{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BCE6-6124-A109-00000000F001}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.905{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCE6-6124-A109-00000000F001}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.904{80A11F3A-BCE6-6124-A109-00000000F001}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.871{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4196E809A2696AD40419AA993A898A59,SHA256=511563D1A0F4A9F028838C18C117C2670AEDDCD614065A4E7B82F69253E27646,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027896Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:23.846{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.640{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB516C3565DACBC65B830F64AC70A6C3,SHA256=5AB621236A64139E71CB39117DB7624111106D4CC1A7CC7A2B283AE2D9BFB382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.640{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EDB9A3D014C11F9069C7AE8C4456196,SHA256=04B4F232D2836A4901F28F0F5997E103E2B8ECB3A9A384361356D03F897C7871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.272{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCE6-6124-A009-00000000F001}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.272{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.272{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.272{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.272{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.272{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BCE6-6124-A009-00000000F001}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.272{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCE6-6124-A009-00000000F001}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.273{80A11F3A-BCE6-6124-A009-00000000F001}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027898Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:27.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87572C17DC05E5C040D169DC1A4B6E4E,SHA256=C6B11CE18D6A5DD062A683D5D3397C34517C4EB3C0832405B96A3E4D243F5963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.942{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB516C3565DACBC65B830F64AC70A6C3,SHA256=5AB621236A64139E71CB39117DB7624111106D4CC1A7CC7A2B283AE2D9BFB382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.871{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AC645A7FF870FF339F7AAB7D3E207C,SHA256=8D7E66213535515287A9F851F3AF9A63542AC52417DFFA500DE7B26C397B2762,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.807{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCE7-6124-A209-00000000F001}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.805{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.805{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BCE7-6124-A209-00000000F001}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.804{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCE7-6124-A209-00000000F001}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.803{80A11F3A-BCE7-6124-A209-00000000F001}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.072{80A11F3A-BCE6-6124-A109-00000000F001}51405556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027899Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:28.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92287B40C3FCEDBD30414CC8D2518645,SHA256=FCA04ABF55B03157F8F2E194DC891C2C5F4FBD1F36144CBDB65A973946A9032E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.955{80A11F3A-BCE0-6124-9E09-00000000F001}6020ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.940{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCE8-6124-A409-00000000F001}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.940{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.940{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.940{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.940{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.940{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BCE8-6124-A409-00000000F001}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.940{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCE8-6124-A409-00000000F001}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.942{80A11F3A-BCE8-6124-A409-00000000F001}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000049364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.924{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000049363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.908{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.908{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.887{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16C3672B841E2772E323565636CD424,SHA256=A42EB449902ABAAC932FEC820922E026174461380CF149BDFD5930B7408DBC77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.520{80A11F3A-BCE8-6124-A309-00000000F001}42801136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.474{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-119MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.340{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCE8-6124-A309-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.340{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.340{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.340{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.340{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.340{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BCE8-6124-A309-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.340{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCE8-6124-A309-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.341{80A11F3A-BCE8-6124-A309-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.287{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CB43E2E70E588FCA30C0874B391A58A3,SHA256=64F76687707575D310F6D26B97EDAB212709590FABAF952A6F9A7337497FBD17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.087{80A11F3A-BCE7-6124-A209-00000000F001}17961572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027900Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:29.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C68AE150377E64FE1771B4559F68CE,SHA256=C61F637263BFE5DA2442157DD105ADF14E4D9A8273DB77F08CDBC04CE69805DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.539{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BCE9-6124-A509-00000000F001}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.539{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.539{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.539{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.539{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.539{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BCE9-6124-A509-00000000F001}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.539{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BCE9-6124-A509-00000000F001}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.540{80A11F3A-BCE9-6124-A509-00000000F001}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.488{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.355{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2512FB7C60571B44618F5343DF14A4E5,SHA256=2E00BC94D8261E7FC427F9A0653A1B73060BBE08A789D8480E3A9858A83AC151,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:29.186{80A11F3A-BCE8-6124-A409-00000000F001}58484184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000049383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000049382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00710857) 13241300x800000000000000049381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c2-0xb665e4b5) 13241300x800000000000000049380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798cb-0x182a4cb5) 13241300x800000000000000049379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d3-0x79eeb4b5) 13241300x800000000000000049378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000049377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00710857) 13241300x800000000000000049376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c2-0xb665e4b5) 13241300x800000000000000049375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798cb-0x182a4cb5) 13241300x800000000000000049374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:33:29.040{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d3-0x79eeb4b5) 23542300x800000000000000027901Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:30.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E20D5CB3EE2EF320EDFF3EF9EB577E,SHA256=8343426D377F997002E57D95C0E0D991235D102E1905032AD7B16DB6915E1957,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000049410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.862{80A11F3A-BCE0-6124-9E09-00000000F001}6020win-dc-391.attackrange.local0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000049409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:30.572{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8C45E57B31C6B42F487BE175C58005F,SHA256=66CDFB5540537B2E8D987055B94EF5B9CB76F6E3EBA2F655BE654FE55A6D2174,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.394{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61713-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.394{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61713-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.205{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61712-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.200{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61712-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.111{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61711-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:27.111{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61711-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local9389- 354300x800000000000000049402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.983{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61710-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.983{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61710-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000049400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:30.141{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B4C50BD562E8390FB451E876D26F092,SHA256=B99E514012677AABAC90B4BD6324544793C3A178020DED2D3FBF023B028AFA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:30.141{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B69ADA8392D1A398CEE5569FB540A0D,SHA256=106804E9798CAE2C15760ADE2C1DFBE214983DEA2AF187CA2CAD818F452E6A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.869{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61709-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.869{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61709-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.863{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61708-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:26.861{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61708-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000027903Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:31.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365FEAAFA773BC060685671303C047E4,SHA256=CF04B23B0FEE03057AB3774646ED1D649C36E224D4A61F652EF74222DFAB4816,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:28.094{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61714-false10.0.1.12-8000- 23542300x800000000000000049411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.026{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C663DB20F834B76F327EFD65A4014EC,SHA256=327B44F8897EC4C7C3B9E6E28179F454011ABB3CB8B557F545B7C6E5F585B0AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027902Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:28.878{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027904Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:32.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F97AC157A2D8384998C3C7F7AFEF50,SHA256=FBA489DA7B5E7A15053A78DEA62D60B50A5CE0AC3C35478C76D560B7C78EDBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:32.072{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78612F8C109E077BC551053626D1B28C,SHA256=87D4107D919FC62894EAFBDC83E71F332B15820BB49E6B390E0D8EFE77B9943B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027906Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:33.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71BC67FA1882928E0AC9E969AD20D32,SHA256=79F0322E5E33DB70E988648796F090E196A23F890DC3E07C7C3F144100C8C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027905Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:33.005{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:33.870{80A11F3A-9FFB-6124-0B00-00000000F001}632680C:\Windows\system32\lsass.exe{80A11F3A-9FF8-6124-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000049414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:33.086{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F41C90BE1547D405F9E9ABC39D4AAF,SHA256=F1074BB3416F24351552B20B449D93CD5ED93EF152248053523DDB9AB744EAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027908Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:34.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8FD850D87BA9761AA755987BE5FE70,SHA256=80C6E61B5F3731B17CFCB5657E7876C97FC2ECE9087392F0149051B87AB981A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.695{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61717-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.695{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61717-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.694{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61716-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x800000000000000049420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.694{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61716-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x800000000000000049419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.694{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61715-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000049418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.694{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61715-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x800000000000000049417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:34.770{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3367201C08D5198C231F261F96F10FBB,SHA256=6DEBF78DC4FC36DFAD766723E8CCB81DB8E95C94B4A55521E8305A5D84CD4D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:34.107{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4C2287FB7A56A5CFF5DDEDB027E3D6,SHA256=F54C4BB87C34181FE7B802CDBA1A5666A22913497890B1249BFFCADBDB35B7CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027907Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:32.612{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000027909Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:35.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5034F196962B0BA9F2C562CE4D555A6B,SHA256=273FC5430BE93AD9C1737B8A526F02BAB0AFB66091AA9ABCCDCE51E94AED09B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.816{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61721-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000049431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.815{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61721-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000049430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.813{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61720-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x800000000000000049429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.812{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61720-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x800000000000000049428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.811{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61719-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000049427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.811{80A11F3A-9FFD-6124-1400-00000000F001}1060C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61719-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000049426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.704{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local61718-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000049425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:31.704{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61718-false10.0.1.14win-dc-391.attackrange.local389ldap 23542300x800000000000000049424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:35.123{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ED99C30E808ADE6CCA98A787062D58,SHA256=B4A06B3D4DB2705AFCCA43D3D37EC202BB1D0E252BBF786E312AFA0AAC043D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027911Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:36.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966A3C08AE089115C85985DE0C7025D,SHA256=59FB480EF9C831C0DED5F0C6E517B61C8765555821E84B8E5A3B2BFE9BE944F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027910Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:33.881{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:33.123{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61722-false10.0.1.12-8000- 23542300x800000000000000049433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:36.125{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988598D6A5A0FCD12292BDAB9F3055A7,SHA256=CB5199EC71055B49D79A30A7F8589B7FDBDDE6AB5D1E2B05DE2CAFFBFF2521F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027912Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:37.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75208F2A0E9CEC87761F9D6B9391237,SHA256=6E48A0EC7EA70363C0D5FE4764AF538388E3C23BAB51112A1F690CF288632F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:37.125{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E67F6D1BC296D5BD752F93CB6C5E1F,SHA256=D4DEBB20E232A3AB6633411D100A38B1CC47C8FD08E7CBBEBFDA896F648CD09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027913Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:38.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468E665299AE2AA874D8A63BE900D7AB,SHA256=41FCAFFD1559F25A23CFE13C378D7C1BAE7AA643D8ABE0CB2E0B65B0C42E0105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:38.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B7A0DD5CF84A8EA86C402713AFEA86C,SHA256=7FCA98181A25BA357809C12127C323DD5B5F5A4E4FB20D443A3E7D9A4C8759EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:38.140{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E89C1E2FC2433967F94BDAD85AD437F,SHA256=EEBB0DA2000295EF88AB9AB2F18599F37E30D6B37EF37537F202837BBC2FDE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027914Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:39.880{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6FFE81F4923F1BCC818F2A755B5F50,SHA256=97C7F67031FC28F5C8CD90CF00CE216C143391274E75578256DF1B32EC998FEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:35.678{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61723-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000049439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:35.678{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61723-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000049438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:39.141{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59267867D29B66AC875C81C50F83AA5,SHA256=179A168F3E7166977A03DBD390087BCE5B0FB456E36E7BB12EAF90C8ABC2EC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.208{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.208{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.208{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.205{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.204{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.204{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.204{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:40.155{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4FF51BC70A7EF242235EDCD4D4E7E9,SHA256=D7775329C7C5D1D6CB2BF05A84C524882047E39E8C4A445C925F45E12B0A446E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027916Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:39.722{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027915Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:41.114{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4F719753DCFE938E3875B2A7E70E24,SHA256=A8EAA31E25EE35623F5DCDA4D590AD74F63676EE6B005FEDD9A500E792B33333,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:41.238{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000049451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:41.238{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:41.238{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF713802.TMPMD5=DE2C2DC7AC7CA60981DEDF95D7D42EF8,SHA256=FCA4BAB71BCBD425757363A708F77D849276031ABC30B3CE7F82EDD60A2457E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:41.170{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FAFAC8B6163BDE16E88D8E6FB2BF16,SHA256=0F82BB9C2F2A0A72632EE83DEE6DB20863AB55A1719574EE854C4221C0B4A3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027917Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:42.349{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F14E48AA1E88D6EF2259443203D820E,SHA256=8D093CF5406A2A1FBC85461D9C5637FE6A16EA7B579293B53950F567DFE75D38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:39.092{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61724-false10.0.1.12-8000- 23542300x800000000000000049453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:42.185{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B5F0AB1E5A2FB03F4EE97E5A9430BD,SHA256=36FDFDA24139474DEB08B72BF33380782BFB5AF7B11D20AFA2B495500842DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027918Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:43.567{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12E7413F8D56424FE21C6ED58C8FE9,SHA256=EF8AFE029D3E3FB3CE391842B1408D54EAA53CB4CEA1072EF256E725BA8DDBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.221{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC2F8C00957E8FBC65A84CB254AE6A8,SHA256=6DC7442A9F60B44395ADD5A69AB1B9F9DBE67944BA00B57A8C9F6D909A24AAEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.006{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.006{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.006{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.006{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.005{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.005{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:43.005{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027920Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:44.801{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046627C27D3C87361A1FA2B45252935E,SHA256=1451DBC9938AAB0B4E907314BFF301FDA58FC122E9A98A563D0EEB7DB92384C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:44.236{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFD9CC57A6E6D1BDB2E311F35743EBF,SHA256=5C6112DE705131866E43E4E2A27B702AEC17A1249B16D527E4EAC628D516F474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027919Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:44.679{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-112MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027922Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:45.847{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F54313EBC6DB6BB0DD5407C787521E0,SHA256=B7B9ED5F434DF5BFAE74584E301EEE5BCF664F5F4F3491689135B3C18955A0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027921Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:45.693{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:45.682{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E48263EE167507257826D3CFCB732B3,SHA256=2BB24A02C5BD761F4BE665A94368A82053F12785EFB3596D1E65850B587E6833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:45.682{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F025156F2AC2AB0537C7A0B774B967B,SHA256=95F4F02706D3D7B7851D8A295D35A7A78C8ED935039E775D44AA22006A21773A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:45.251{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809F45D6119C63C442390EBD0C991ADE,SHA256=B60EBEF3467315E1A93D5557137A5BB7B9DFFD51F9ED8F8D84D4697413897D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027923Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:46.912{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C611558DCF3620C8135C499F779DBDF,SHA256=D7923AE4575FB1FF98FEC48B18F2DD7DD0D86CA2700C90365E1219435F1AD44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:46.282{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E65FED51BDCE7F9FEF2CD188E9D1678,SHA256=31E4DC3911D60A7B63EB97707ADBA3FA06CA549D003DC8EBF4E2B60664182D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027925Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:47.912{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FE1B0EC873A4EBEC0D35C99528A9A8,SHA256=5B12F95086FE4989D789AD2C8237EC2170E7A39E9B3FC53D63AFFCB7E10737A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.301{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF70517EEB791D5C1A03FECC5FB5E44,SHA256=6671ADE74F9381E183FA5571374A584744BEE7ED11B36DA63372DBC96E327ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027924Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:44.737{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000049474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.203{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.203{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.203{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.203{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.203{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.203{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:47.203{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027926Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:48.912{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCA6118A6C3567E47E76051505D1298,SHA256=197720A84336CB3B666EFC97CE1984405A66F91C4D6C9AEDDE09468DCC6B30AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:45.087{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61725-false10.0.1.12-8000- 23542300x800000000000000049476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:48.320{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D2E04B9651974AEF1762D1BCB472D6,SHA256=5B9BB3F1C8E888A626F66A67E0BC6FB61DB7F9EE46C3E0A317ED00ADD9E134A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027927Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:49.912{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7541F3B7BBA3C1E1D72E5B7088771FF,SHA256=72DCF7C872DE2991430AAA8A13D368E100E70602C12B1C1E286522475DCC4B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:49.335{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5046DBAC8B9B89B95B5C3C053D5F3F2,SHA256=28C2679CF4ABDCE6A3D6555EAB2654A85C7D7811CCE2DC87E078F8F631083095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027929Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:50.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CB8286BF2CEA5E3D144295AD9A315F,SHA256=4BA5639E7363B53E6D67EF9025167514B7AA13E6CD0DC54054D63BDFF0EA8721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.819{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C6668CDF8693CDE9B4B1376D97EF85,SHA256=DB842140D2B295BAF5028B29D1639EBAFC117D15E0F62168B6B99AFACA2ACEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.819{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E48263EE167507257826D3CFCB732B3,SHA256=2BB24A02C5BD761F4BE665A94368A82053F12785EFB3596D1E65850B587E6833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.780{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9190182D54CC0964830C131BBCD11A,SHA256=A32D8F59F9A2899D538BF4D1AB9EA7B5379ED18305746DBAA6FF43C5674B44CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027928Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:50.869{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D328EBCBA335F50718B54D3F68037C71,SHA256=D6876FC2D7817939EF12D4C4FCC0AD2350307962AD37B0405BA657CD7C86BE18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:50.018{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027930Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:51.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F6B109654E9EE6C3B05F38464CADC0,SHA256=9D113C137E119DFE0E404E5D1F53114E3B89C55AC4BACE66F3891A00E15F7793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:51.817{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0255060809B7517781B3FF88C086322C,SHA256=8299C6ABBEE989434774DF758571A77B83B1197C6712036AE75E74914CB823F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:51.333{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027932Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:52.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AED0C844BD8F4887D655A6A884BB62F,SHA256=92C2912877AB2BB76D1C312D1D420CDCC0BF2486C4B6E72BCE4816F4542C624E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.817{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3FAFFAFF628DFEABCDB9337EED8FF4,SHA256=51957AF5DEC74FCFBA38B0E5BE3AB67C9576056DA4C1E1B23C8EB7A39C75A928,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027931Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:49.836{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000049531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.201{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.200{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.200{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.196{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.195{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.195{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:52.195{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:53.848{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E32D6015FFC8F196C899E1A903463F9,SHA256=A8D0B281D0DB218398667BD1F8645C1960F6570D5391B8CE94EE6ED1A9D8E6A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:49.255{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61726-false10.0.1.12-8089- 23542300x800000000000000049543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.931{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CC252F83B6E8EB2E3BFA51E1C6BAF3,SHA256=5F5B689AAED686DB78CA56A1C4261082A238D8AB8079596DB7BD0042C363F4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027933Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:54.010{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C700BDD1A869CD3238EAB300AC05B2F,SHA256=B9319CEE96959F4BFEC9272DD71425757176D5EDD16323563CEB86E10423F390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.616{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.616{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.616{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.600{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.600{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.600{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.600{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:54.316{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DAE1196BD1ACFC95AC0AF4FB913E97C,SHA256=E303C089184DD65581D25073F1CEEE511CE039E2BF8891BB03ACF5722B18B8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:55.946{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BC0DFAD82193D534302AA1E966B1C3,SHA256=23C0546821C08CAB3760BE7EAC0306E4C35B7930373888877B6277E848B1BBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027934Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:55.010{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6E3BCBB475F10EB082411ED156A994,SHA256=31C9EA0C68CE6633CF2E84A2A5C7D37C24DCF03EA3EC86B835E94687087779CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:51.102{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61727-false10.0.1.12-8000- 23542300x800000000000000049546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:56.960{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571D2E8543C9BA62B30BEBE40F9EF62B,SHA256=1A8D304EE12950C5AC3246DB027DE59B25D9BEE579DEBBE1595A4F8A42C662ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027935Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:56.228{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698DB9BD0868A69D45B301ED31E13FA5,SHA256=C4CBD00606CB026682ECBDDC769BE7F07BA786F1EC9242FFD342C85E109A0A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.975{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC9F457314AA4D4816B0978D26A6A92,SHA256=B9B41C66CA38F050AF8025B213C17F5E4C457DBEB9AFFB77B961D029140E49B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027936Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:57.338{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BFE43FBDF6FE065D21259AD93A6483,SHA256=09454ED83BFEC789AE3AFF05D9EEED885F5E423E2F23A095B4A12FF3ACDAFC4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.729{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.729{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.729{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.729{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.729{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.729{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.729{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000027938Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:55.852{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000027937Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:58.353{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3EF725702487530DD7AF8B39DAA326,SHA256=E9E404F6104767B2061FCA607062AC7C04BA4550F79C40B1F5518C550418940D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:58.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4BEB42CA8D821849B7DF0094924B51,SHA256=BEFC41A42582A0D10720818DFC145C7C26FF3434CA7D0F244674232573AE636A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:59.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB17FE81214CD4996B1C60CF83E845B1,SHA256=5636539ADB72029A4686FB1172479188B2FB05842BD2D059B7B71ED874DA244F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027939Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:33:59.588{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9803CA3A6B144BB5742D3E5A338A65A9,SHA256=E08F4E5FE780E593084482C3385C53040D685E1637B894552CE7C0AEABD65BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:59.929{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=317DFA4165037540519A083BAB0B9D1C,SHA256=B998452A0627218BF94269FF7363B900BCF18F28096E352D8D74F95615B41E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.977{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.977{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D96278738BE0FF14F8E3361F0B9BA8,SHA256=F4756338C568016C5E0CD14B54F421A3F54B77E6FD111724B3226C64AA5D09DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.977{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.977{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.977{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027940Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:00.650{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E9FFD8A4F9C39E85258133666AAC9B,SHA256=2B04F8AA5871F5647EF47AA7EB50564CD514D9248570693E24CFBEF62E9D75D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:56.854{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61728-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:56.854{80A11F3A-BC96-6124-7E09-00000000F001}6972C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61728-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000027941Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:01.760{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1007AABD10CE994ED072877CAE87CD,SHA256=BE46F433876EC3E0FF9B6F9D6317A1AEA440A33763B50556C17FE2F41244A2E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:33:57.129{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61729-false10.0.1.12-8000- 10341000x800000000000000049567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.998{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.998{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:00.998{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000027942Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:02.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F90BE5FCB96507109967406DB0EEBCE,SHA256=EA7CF8BA54A3C9D590C592CF3FC13E93EC02F526A86D33089B6B0A685D4B64AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:02.344{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7D6FA514C6BBEB1BF4473AD40278FF41,SHA256=757A1C8144D2AD912E45914147601B9E9EB6B107B9D30225BDDA6C40656C862B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:02.045{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BD389568124CAADEDDCAC3EDB58776,SHA256=9D54E8F01285B504F585D164FF4510079AC88F716D85A7BF97511EC0F9E576C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027944Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:03.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57C0587802AB5D8ADB6FFE586EA19EF,SHA256=8FC9BA7F3B3E90222762F54B5D5EC9AE1F5393AEE1838E757A7A8380F5D35C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027943Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:00.883{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000049578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.212{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.212{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.212{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.197{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.197{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.197{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.197{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.059{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C6D637F7CC8CBE0AE840C442C72891,SHA256=55FCFEEB6E1E9004E06E4DFCE77829E733B37DD67C6C0FA00B35A64B4B5EA20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027945Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:04.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297AABF930FF244377DF9878AE787807,SHA256=8608F8FC0971478EAECC5C3D96498212862DC9700367B38249885879A5D8212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:04.076{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAB0DAF4BE0AD2941BF6E29BD720D49,SHA256=3F2A30C2A230B842BF157C3AB7E73877A0487EC669EDECA3AE67DC5FBCBD839E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:05.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5C2F78C4D4CFFD053716DAAEE223F,SHA256=125A32E6242FCC5EA1F456588D768E583C2867AC6B34845D3F9CCDD04C4926F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.759{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.744{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.744{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.744{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.744{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.744{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.744{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.375{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=192439A90155F8B350A9ACC8D009D136,SHA256=E558FFEF7034FEEDCBEBEC86ACC43194F34C7F03D01B41868FF707B8741E6EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:05.094{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D85A7BBCD4F32C7FF417D3F5BAA220,SHA256=CF1CA14D95B75880898188B00B3A00E62CA0C68837930DA4AE246EAB43C1FCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:06.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DF33CB44B139AC3DFFAA2D1A4E6F7F,SHA256=7F5746DA1980F9D6A5823AD643AD47EB10341D2B0DFDE67D60D6701C85735C13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:03.129{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61730-false10.0.1.12-8000- 23542300x800000000000000049589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:06.112{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273EF1B6F2E8233BCC2281F32EE6ECB,SHA256=2CF42443017A25E5958AB80FA9D0D4E50808C550906FAA6EBE89D6F3B31CD2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0D25B05BFCA5D6025E7C89C86489F9,SHA256=1FA9BF9D1322E746FC288A8806B45FB0460F15DBFB545EE069B0EDC6B79AF6E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BD0F-6124-E706-00000000F101}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BD0F-6124-E706-00000000F101}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BD0F-6124-E706-00000000F101}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:07.760{D371C250-BD0F-6124-E706-00000000F101}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.395{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.395{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.395{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.395{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.395{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.395{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.395{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:07.127{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0964E707F275C94F229241F56C7EF71,SHA256=6A6564D4439C2054805E13830D61BB9E66E15873D793E0A1908CC011C7345A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:08.389{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C4CAE8910917A825263C2F0A722EC8E1,SHA256=28682A641EAA56BD59818815E4991105ACFE2A26117F3FEDFA8F08ED3E61DDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:08.142{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F29A8D942212760FF260C148310335,SHA256=67F9414CA0C4054EF911E4A2607C3BF1CEE5AD65D264AB83B0902886280FD416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.775{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6362DD7EE2351A3E61C677B9E4D7242,SHA256=1DA962D3BC5B9A62C17E006AC2867E385C3E8861BA83D3CC414A619D48CFA277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.775{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25193BBFE0EA5164722F1EC3E457295B,SHA256=F87E127D690EA52F49524FBE0364388C481A0C3B1A12F6218F271CEC59ED9F0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BD10-6124-E806-00000000F101}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BD10-6124-E806-00000000F101}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.431{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BD10-6124-E806-00000000F101}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:08.432{D371C250-BD10-6124-E806-00000000F101}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:09.172{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B46BBA1292AFBBDBFFDEBAD75DEDD17,SHA256=F7DF05D847364CF3936F015053AEE2F47B96AB1977C3BF93F34A39C029140463,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:06.743{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000027991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.244{D371C250-BD11-6124-E906-00000000F101}28002424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BD11-6124-E906-00000000F101}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BD11-6124-E906-00000000F101}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.103{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BD11-6124-E906-00000000F101}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.104{D371C250-BD11-6124-E906-00000000F101}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:09.010{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EB4F96B17E6B09F1CE39AEEDCD4C81,SHA256=15DCFFB7D635D2E6755DA929A9CF28ACCD5078EDBFFF9937FC0E21D44C393757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.296{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7699CB763CC3FEC5E3BACAB510F70E76,SHA256=879B5B409EE59E80D497EE7DB673F2A164D62730112886F677EEB7D0D7DB2AD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.139{D371C250-BD12-6124-EA06-00000000F101}28122932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.119{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6362DD7EE2351A3E61C677B9E4D7242,SHA256=1DA962D3BC5B9A62C17E006AC2867E385C3E8861BA83D3CC414A619D48CFA277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:10.189{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34CF4D6632EDBC8DE21690CC93A6FF2,SHA256=760929811EA8ABEB05BBA248C5A5488A45530B7BEAB679E6137DAA171A075FF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BD12-6124-EA06-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BD12-6124-EA06-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000027994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BD12-6124-EA06-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000027993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:10.010{D371C250-BD12-6124-EA06-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BD13-6124-EC06-00000000F101}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BD13-6124-EC06-00000000F101}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.858{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BD13-6124-EC06-00000000F101}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.859{D371C250-BD13-6124-EC06-00000000F101}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.374{D371C250-BD13-6124-EB06-00000000F101}32642820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BD13-6124-EB06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BD13-6124-EB06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.202{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BD13-6124-EB06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.203{D371C250-BD13-6124-EB06-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:11.124{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC7B248B5A27A08789E9669A1BC2AB7,SHA256=90B32EF1693F1459FDE5E0F1BC816C8818DB6A4DDB202481EE138E46C17FB972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:11.208{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F56E9BA1EEBFD5FEBD9D8DD966133F,SHA256=FC12F8CDC0C476CA33B0D72E690CB770B48D099026231CC587B4F5C6B8DEDE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.577{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0902DC9CBB6B6EA8688CEF897D3604CF,SHA256=DA77DA0E3872812E0043B87DD86F91AB6FA2FD6626A42F05EC0F4C929D4F2B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.577{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B77BC4A95A6870D1C761E74E7A009B,SHA256=62BF859C8220AA5AB45D9EEF72E4B4FBDE0AEBB10A8404DC9F694A08363E4CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BD14-6124-ED06-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BD14-6124-ED06-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.530{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BD14-6124-ED06-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.531{D371C250-BD14-6124-ED06-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:09.061{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61731-false10.0.1.12-8000- 23542300x800000000000000049604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:12.238{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67AA8AD09980F92F26CAF4AE60B98A1,SHA256=FA29997B3CF8F50CBF3A98550C7BF00B1D70BB6F647859126CA300C4B576615C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.046{D371C250-BD13-6124-EC06-00000000F101}16602960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:13.577{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=901D236939D6EE1646464F48D81529E2,SHA256=0C55D8A92B3507EF34C0191B9352B8503F3F5ABFB5587F40EB871B30564DA9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:13.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85A11FF213B750972C505D4C2CC8E45,SHA256=37695A1A8E9B0CA3B8B1337819F82C6C526B2C603961F3161DE874CF30A21BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:13.268{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FE563716B4F8D16DA1832A0E108032,SHA256=68B78708B9969EF5DA3E38676F36FE8D5F0E31EA2953EDF97D24C68A08C40629,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:12.685{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:14.702{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF671588ED70E3E2EF793AA3DA5031B6,SHA256=E241427984148EF82347E5BE9E982ADCAEB87D2B4844B17268FC3E82DD00FCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:14.285{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EED62A1C5953CADE6BB1F1D32826414,SHA256=6E2E930C741DF4601B8618FD251C586A1C7822D3447D61BF23737C02FE2A8B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:15.921{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5471B326A9B34F9D0F3A8A88DBF06A89,SHA256=ED6B63AD6685DE25218702D649FB695FE0E638FD12B134430068C6B3FFC30263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.304{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3AA40E0EB87729B546C92E828350A5,SHA256=2F6FE73E63150081FB671773C2C21D70102645D74C31581A22C25CEC994E8A8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.004{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.004{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.004{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.004{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.004{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.004{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.004{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:16.952{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5C71146CD67BE01469BBDDFC8D9F20,SHA256=C3EEEFA6C3DDBE37A628FE2FC91C2534F7A2CCF3BE822F702A9A527C07DCC98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:16.319{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD92F5D5CFB4A79085CB59C0B9CBEB03,SHA256=27A92B1E76C87F861E9DF9FC88E30F5A9890C24E74801BDE9053423514049601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:17.952{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A60084B47EBF228165B1D9A04DBC3E,SHA256=AC9F04A0D0C8AF7E7463FBA731E70E07F9C05B83743F2D3EA8FFA67594030972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:17.334{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9445A2DD687F6B90888C0F821EF277,SHA256=15B556A4074566161E7DD4F11B57BA4C36ACF6DCC7F12D2789EE0BF0486A2404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:18.952{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DDA291F94761A719984CA92C5285EA,SHA256=C4A7A775378DDF7A0CDF95FEEC1DADC9D92344E3A25EA9DF1FAD5BEFCEE4720C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:15.041{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61732-false10.0.1.12-8000- 10341000x800000000000000049625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.448{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.448{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.448{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.448{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.448{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.448{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.448{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:18.348{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B124CEC118D7CCD68EA3B89C9D6215,SHA256=DD762BCA0E0EB3252B2D150987AE65DAC439EDF4A2783AF32F588507543B2BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:19.952{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F9E33C6C6370D515EAB48E12C53661,SHA256=63CE1968512E308BC0A1E76F505BF8D26B30BB8A668A2C734B2E21D7EA933D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:19.993{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9BC0E7F2D6594803508E1CDE1B1B8F72,SHA256=180B8B5B4838F5361FDE3829A4EFDB199BCA111108B658D258325940DA3044D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:19.352{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF266CB6879D361F4F83597B6218E48,SHA256=08CCD203B98D33208ACC587CCFB2CF969BE92966C409CAF851F3F0CEA3BDCB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:20.691{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ECB31564544B6B99C61AE2F00A705A6F,SHA256=E0BCBC141089FD50007B90110486FA2A300DB4E407DDF72E8CF14B68F155BC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:20.360{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91C551A8E669F910124EC610832B456,SHA256=FD794B5ECA7E5EB9477BF9496FBF32E17702358FC849D9EAD42225AE9AC18F71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:17.748{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:20.150{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=48E75F2C3E22EB4896C6FE884441F91A,SHA256=792D20BD4DEB66DC48D335A5BB1F0C00F7EBE161F4D07EBDF2E8413ACEE49511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:20.042{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8B14707C27CCF07A66008D880307C912,SHA256=B22D6EC612D7DC527201F615376559CF0DBECF86E95FA22DF728BD77678DD8A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.390{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.390{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.390{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.390{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3FD50532BDC1E1A51D925EBF1F6379,SHA256=1486D721C671708691573B0E69D263D56266896AE08B19D4EE32CAFDE910D3D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.375{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.375{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.375{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.375{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:21.155{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7B9B8DDB67D69E10515FFA246EC5E3,SHA256=727530E88B293019B67ACE99E5E87AB63D0E26E35B81A5258C5ADE8DFC38B22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:22.391{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2356BB1F7A091460F4667B353A4C593,SHA256=54FB066BEF4731258F7FC8D9912A7C29C85BA6BC4CCAD6B7D9E086181716B73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:22.171{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D1A6B2D155EB43D58BD95627AC778D,SHA256=A08C55B91E3CB6030CDC7551E8690E7B936595136F2C00CD9A03E8D062C3B828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:23.311{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BAD7B474D509103A5605144591BF001,SHA256=BB684069DCD3DCCDBB40A0EC213CE65DFDA3D2C6C1DE186D4268DA67958513A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.858{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.858{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.858{80A11F3A-A44E-6124-D004-00000000F001}41605700C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.843{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.843{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.843{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.843{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.428{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F289D5191A21F2D0193DA32F00FB6E,SHA256=72784788FA0E6A9FB9E2D22835AF970DD7C4B7EB52E6FAE78CD0264E8552332C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:24.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F7DD89ECFBD8B8498845BDEA5A6E04,SHA256=88BC00E758ADE2A10C4A6A212DC50FA462AFB5AEF5241819348DA0B844404AA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:21.013{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61733-false10.0.1.12-8000- 23542300x800000000000000049650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:24.458{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A045EE763B8D76F1181B4EF8A802BA9B,SHA256=ACE932682DC03C527BAF3F7C044445939A4F8E6D9197D5C2EEE053033216D0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:25.640{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163ACB4EEAA8844FB5F6BC567F6ECE26,SHA256=3C3A48A4D16A48512793A66D27778124D1E20D64EFDB339552529F1B75119972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.837{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=64904D9B943E88DE139E110CFD867C14,SHA256=37771197C47C0CACDCAE3CEDA0A2EF1D5D8B1CE590581B6E6A55D224C41EC947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.737{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B165B94420A72B493F3ED84B772D3B0E,SHA256=60D9AD97A91E92900ADC78B4567829FFC6D6FE4F43680CAE564542B816465ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.737{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5B2EBCFEFE1EB64DFCA389755245A0,SHA256=30119E18DBF5ED119EB4CBB86C20319AD04DA6C993200F9925E0FCD576634BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.653{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BD21-6124-A609-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.653{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.653{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.653{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.653{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.653{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BD21-6124-A609-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.653{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BD21-6124-A609-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:25.654{80A11F3A-BD21-6124-A609-00000000F001}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:22.857{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:26.842{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9591F45CF9F6CA6414487B1E0F58DE7E,SHA256=468EE0915D8A118F3A0B84F8FAA0B3247F03208048F610839EC0054356494E6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.952{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BD22-6124-A809-00000000F001}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.952{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.952{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.952{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.952{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.952{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BD22-6124-A809-00000000F001}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.952{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BD22-6124-A809-00000000F001}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.955{80A11F3A-BD22-6124-A809-00000000F001}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000049675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.106{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61734-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000049674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.106{80A11F3A-BCE0-6124-9E09-00000000F001}6020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local61734-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000049673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.699{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2434E3833C48AD612ED45EAE63C3F2,SHA256=52CEACD98DCFCD96DC5658AC9EC9951F81BFA198D0E9D434F46845CDD30A63A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.699{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28C6668CDF8693CDE9B4B1376D97EF85,SHA256=DB842140D2B295BAF5028B29D1639EBAFC117D15E0F62168B6B99AFACA2ACEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.684{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242CB8994D8388EBB311C9D4BEDAE34B,SHA256=FC983530F667F3F558CE4498EE8F29475AE51A44593BFB3D634053FCBBD295A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.320{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BD22-6124-A709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.318{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.318{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.318{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.318{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.317{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BD22-6124-A709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.317{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BD22-6124-A709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:26.316{80A11F3A-BD22-6124-A709-00000000F001}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:27.952{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15374A784B0EB22063031F4F5A2C653,SHA256=01417DACC56461A81CCB2FB17BFCF00A702383964502179034AE74257C54EE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.983{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2434E3833C48AD612ED45EAE63C3F2,SHA256=52CEACD98DCFCD96DC5658AC9EC9951F81BFA198D0E9D434F46845CDD30A63A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.819{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BD23-6124-A909-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.817{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.817{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.817{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.816{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.816{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BD23-6124-A909-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.816{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BD23-6124-A909-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.815{80A11F3A-BD23-6124-A909-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.698{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4556810B9A5DB5D8DEB836A2CEC2F2,SHA256=26D1885F5A8F07CBCE6AD514052916F4CED9E1BBB9A2CC2873CA7BD8DF8A3E12,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000049686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.109{80A11F3A-BCE0-6124-9E09-00000000F001}6020_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000049685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:23.109{80A11F3A-BCE0-6124-9E09-00000000F001}6020_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x800000000000000049684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.121{80A11F3A-BD22-6124-A809-00000000F001}27284532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:28.952{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A0503A8D94CFD7A48B413F2F18CCBB,SHA256=412FB818AE3D95C4906A5D45D46E322F9977C05148B8A8A514DA790CBC7EA24D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.745{80A11F3A-BD24-6124-AA09-00000000F001}46405576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000049706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.716{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83428212099BDF22F2C5407008D8928C,SHA256=06BBE4E2D3D85F00013C4A571822811C97E62337CD6C26FAEC08B4B061FD3CAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.483{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BD24-6124-AA09-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.483{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.483{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.483{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.483{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.483{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BD24-6124-AA09-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.483{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BD24-6124-AA09-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.484{80A11F3A-BD24-6124-AA09-00000000F001}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000049697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:28.083{80A11F3A-BD23-6124-A909-00000000F001}17082388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:29.952{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1EDF57C0D17DC74A2F6CCF98F1E1055,SHA256=18A3AA95635CCE415BE9EDAE6100A61103C0E725D65DF99693DBC8A5CC62025C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.764{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BD25-6124-AC09-00000000F001}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.762{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.762{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.761{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BD25-6124-AC09-00000000F001}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.761{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.761{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.760{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BD25-6124-AC09-00000000F001}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.759{80A11F3A-BD25-6124-AC09-00000000F001}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000049718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.742{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496E1D4699EDAEF365FD6F3E7C497816,SHA256=9D06055525853854E111D3375BB957F47662DF295B0193AEC863B4C712409F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.497{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=369DD081B9406B6B83C0653F92B567A6,SHA256=0D323AB1F37B80746F4A07E9F6282563353DC269C7C2010FBDB73E6DB6DA5840,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000049716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.342{80A11F3A-BD25-6124-AB09-00000000F001}46923204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.164{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BD25-6124-AB09-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.160{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.160{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.159{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.159{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.159{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BD25-6124-AB09-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.159{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BD25-6124-AB09-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000049708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:29.158{80A11F3A-BD25-6124-AB09-00000000F001}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:30.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56CE076CACE021B11BE75F61D7EB482,SHA256=822175D1F9A048D001A6B532F12636E53A99015D52DCF42DA9B53EC53987D668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:30.780{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=356112CD2E6AD9C7429600AA36662804,SHA256=0CF800BA25A252620168E912F3708E373F7AF24A64571FD5CF73311A101FAA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:30.742{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0070D4A2FE57222C01C755A1DD7F7E48,SHA256=A762EC25BBCE1C57574E28EB18C615B80D61874CCCB2D383F808206D038E08DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:30.013{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-120MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:31.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404EDA25FBCD834BD4F9FE3291E3DDAD,SHA256=FEFE79A27F140BE05BEEC2F270E2169EE54F65ECF23838838F989A8B677C2BE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:27.049{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61735-false10.0.1.12-8000- 23542300x800000000000000049731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:31.762{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842466B897D8FACA8A6DE2E6339C2C9A,SHA256=76ADFE572CEF15B0E20C88761BECBD4EB728C5052ECC719228F8B57275292EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:31.012{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:32.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C104B552AD2CF09A7217B741EAF5CD07,SHA256=7FEEC350DC58E76446EE4DB02D4162C40C32F0205B0790B352566BA81EDED72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.779{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F721AE937744AD4B97FFDBADFB94150E,SHA256=39F51B17EEAF2CF48B7B3EF13E3545060B8163A7C074ABE4E8D57DBA8329C9B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:28.857{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E7578A2FBC5CBBED01C6BF1CEF25852F,SHA256=BF5EDDBD45A8D02DC3F0F3994F7639A75C38B02E6C06FC70C8550CBC046C0D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B4BB1742827938B384C9FD55BDC99607,SHA256=5E5E40E94689F72E2DF444D43E08533B0EC5A091B4EE087EF35637AAC4F26830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=EF0B1EA112CBBD5DB1373D60F87A16AB,SHA256=B7602569FB41CE305752ACE66CEE6BAB4DBCA1D8A4705C089FD6188A08EC8DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A140C7A21C99E07E4FE5664020EC1A9C,SHA256=F3DB9B64A1BEF91BF75408A707418F4042F79022D0CA849A6D7FEC943FF6A6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1522576C753D1EF81546AFF5568B6CA3,SHA256=981CA1EABD6EC3E0EBD3E753F2A533F2085ADA778B3E1BC32F77C0145E66A5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=57E005088935AF2E40FBA73A37B2C523,SHA256=2149ABC30E4FAD8337C02DE5098B589578070911EE8F5EA6D182DB287477E73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=AC8D6B13F8CB582661240AD7E8D2C45B,SHA256=2E5A5CB9413C24277385D65C2CB0C54DFC59C299B6A544FC543DAD4C61D9F84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:32.110{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A0F286EA369E7E280C4AFD7C4953B566,SHA256=5032CF7DF3A6B3E870B98D7ED1BA171CA19D01E93CF3FFD918B3F4045E6B3D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:33.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07B0EC5281A17831665A25DA50E371,SHA256=118425B8F630F9974B08F322E848BFC6C96CE4F64A2F45D45B7E1EBD15769743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:33.793{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10CA08714806E943A105F538B533334,SHA256=A0063D0D491B4E0ED288089FC7BD7AB1E375AA5D2EA35A3B6CB5878E669DE2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:33.020{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:34.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1F9572B690FC39452165D352620D4A,SHA256=971291D2D5F77DC09704E7152F601927CD681093DD0F245A679EA54AEF2BC3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:34.808{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030F43C8312310033EDF8C0317AD6FD1,SHA256=5B803EF1B266D38E59E14B5884BA461490B1088290F5C184FD781E4309048770,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:32.628{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000028081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:35.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF210A4C9D9D3688E1E62FEDCA9E30F4,SHA256=13DC12AE4E2FA30F14FD1F0D6BA4AF33B3D14161F157849483F5ADFB43567417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:35.838{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160504CE1A2F7BB59144E49E379BAA26,SHA256=75CCB50EA7B9DA4C0AC66A8194A5F48FEA136CDDBD6EB21DD39AB7AD9A353EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:36.973{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4991A4927BA611226B926F788AD4E70,SHA256=BDC2992F58B3FA48A4668FEB710384269459B88A6B59459276F2E66F2252EED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:36.875{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74DEC7BBF347FCC654BB8F770BFD57A,SHA256=AD9B72215D0CF47E976236175C6EF97970DEA2EE69DF8C04B5DD550E70A5F7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:37.988{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BAFFACD4296764ADD89CA49F6574A8,SHA256=235924528BCA3DF3685FCD2BAC86ED964993624E283023ECFBE04AD0DB9DF38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.906{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52535E4A5CF4A318B2C03E8A623EF2C,SHA256=B55E01C33FA0BCE28B3C2AB95EC466F24944CAE7D2A616DFB4A607C002A8B42D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:34.675{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000049753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D909D29505EEC11AF2BDF526B94E4E87,SHA256=1DB913495D70BC0ADC47F3CEA078B150A44E8934E43FDB7DF8FC1DCE0046EA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6CD6953F432979306D83FFABF654FDA0,SHA256=25F2BF59ED13AAD8DDE0B99128F5C8D6EF615C9D3E0D01ADD2EFB4D2A783D63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=ACB5DA28510163A764E7F5D826399ADF,SHA256=44FF63B8F1CFBD449157603A958F8481A02D09A9E4BBFEC17CEA44F2B47D2D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=110381E07B395B16B72E333EF1A91CB7,SHA256=142EBDDF225C6304E09A468B67E8E944B677C611FD9A07A6781DBE0458B379ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=2B2D25949DB9D88584BE417EC30B5847,SHA256=28ADDA575B02E8B52FD3C8DBC635A16180276C3D4DE1223255502EA9EFA418C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=9BE74282FBBBDF1760C524D98C8BD5D4,SHA256=5E7FF946287944BB17BDEE37E7224AE132A2ABAE1EA48A6BDE828B8FCF288FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1F58BB53F6C5BB1AB7983B5D85DD8AFC,SHA256=F81CBA4A719619232266FA3916B95593B1326B20A37C30DE51566B44B1271BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:37.122{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=AC6609AF4B61F8C1B38A26693AD5D1FF,SHA256=5AE66C88D1593DC1BA1B97837A44877234F8BE545EE4A96BEDAE6B8924382042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:38.988{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6D378C3198D8498244ED34E45F83EF,SHA256=721EDBC3228FDD5201ECF9FE9A3498AA27A2940EC3FEEC8E186E7CD5F10A1E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:38.936{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477E5B3D3F91256DAE832B763462EE60,SHA256=3565B48C37F1CCB9A193A7BA73191AF9157B29B358FC6539E77DEDE8860C237A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:38.774{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62FCF044A175DB8C4897BBCAB3324CF,SHA256=64D0D238B586A88B5B3EE9A83F32614E9E5428373A90DF5CE1D24CB2BC2E7DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:38.774{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12843978C6D59097861AAB4945CB0EAD,SHA256=0A16B3C236988399C05DF84578EA3CAED9689E36FCE7C61EA4A28FA0C34E052F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000049757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:38.421{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\SiteSecurityServiceState.txt2021-08-24 07:59:38.087 23542300x800000000000000049756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:38.421{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\SiteSecurityServiceState.txtMD5=C3BAD60C9B0497E1ED74FDFF97F57E9F,SHA256=8DC831B87D024A8283DCC850B256439C2DD38869CD1B52798CAAC9BEB59E467F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:33.015{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61736-false10.0.1.12-8000- 23542300x800000000000000049761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:39.954{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DB7F5A39E6E2EB58BBF053D65CD388,SHA256=7075E9671C3715986915595FBBAC3FF0907893C52FC6E9C46AA764A3A00CE8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:40.971{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C86B7BE9F61B024EDAF0ED9A01F406F,SHA256=3CBD12FE0295D400C0106D252A65F919C6339D2BFB0ABD2F277BEAE48EA9372C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:40.098{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CAA37023180774815BCA56DD0AF7ED,SHA256=3F7533FDF71A51C52683A70C85BBF91C472E3814555B29A97FE871680A32E4AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:35.691{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61737-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000049762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:35.691{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61737-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000049765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:41.986{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82A31149E7FCA09F0DF1959D23FD26A,SHA256=942E5732663697BB4D41B95AC5E950BA2BB97901CBB6946C5A18F9561DB4115C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:39.722{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:41.145{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC7B693C22990B1724D37BB2AFEAC03,SHA256=54C768A2DBAF182387798EDF20218E6704D9780342884226BCA388D82442044E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:42.379{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E69F7F1F42A9F10BBADE6D98612D2A,SHA256=2AD382E5D00DFA316A8478930236B426F484256AFF2693946D733731A192CA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:43.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DE61CA643178A19A0BD0FFA58A9EE0,SHA256=43B9D1B5F632C97A19DF8FCEB209EBE0FA85407A0DE7D25DCF979CAF925ACC3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000049767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:38.110{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61738-false10.0.1.12-8000- 23542300x800000000000000049766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:43.001{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8F1EC2416D16B485F5498FB7F22689,SHA256=612FD9A3F8EFE0A6BFB466CEF46E95BBAD702B4514AC25C85710A9CABFF2446A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:44.832{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8615C3B500ED85ED6DB5C9B7292BDE00,SHA256=C40CBC06808AE5915FC557FDBFB203DA2F154774BAF0605AE0E16EF3C5F3339E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:44.069{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2064520C92B86C47E50607B220A920F2,SHA256=42760620F37B3B7ACFE38179448D920B25CA69C56EB7D5030ACCB84DED1B038C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:45.069{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1759EDF665287C304A1A5F5D78851248,SHA256=D1708FFCC506B848D279C2737AE9CE398934466FAEFD400D1FB096D130A4F53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:46.211{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-113MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:46.069{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD25750983A6EEEE1349A505233D7E0,SHA256=FD98B16A67DC2C9E949197D0377EA6CBADAB956ECFC03FBEDF04DDD0D40815CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:46.100{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B722C223614D1CEF4590FC6C010F17A4,SHA256=12E45810ED34CBDB5F0B29A49C577DD0D8EB16CC103A1ED6879EB6F1466492C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:47.225{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-114MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:47.161{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D66D8EA6D67FE53213A8E125E86610,SHA256=7AF8DA4C9CFF3906C070345CFFF17A348DFB396BBECE1B33E4F57F9CF0231691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:47.130{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DE8CCBA83D5A43F423B8514DB3BBCF,SHA256=19B834E5473A2EE8834BC14637D991684645ACC1712D93D5634BDDBCCDA275CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:48.166{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B653E2D8015E13B3A933946E4B69E4,SHA256=CD78541BDBE73711A76F5C37F05F43D52C138586F113FAAD463ADDDC34D09C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:48.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6361E599522CB54D489F91CF59963EBB,SHA256=3671CC68B1509A4EAF68FA00C458DD2C950AAD1707B8B751992FEF30165949D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:45.740{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000049774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:44.069{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local61739-false10.0.1.12-8000- 23542300x800000000000000049773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:49.167{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E54F20498BF2643FCA525CDEFC989F,SHA256=ABBB8EB66FA3B3FFCED620A069CAE8D1706D122A9BA6F377A89713B6BBFE950D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:34:49.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93BF6453F33D93BBFECF57953A19121,SHA256=7A332B151B50A6EA75D773E6A88A38250DB2E078612F19734BBE0E6BEBC5407D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:50.229{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7486AE0B14B82BE3FB4C021A73FBF6,SHA256=2B572BBCF7F056A4057D6C5DFAC4F3106536A43B7136C0EA7F7C85D5106DD4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000049776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:34:51.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7AD47EDE037B1A067EB6AF254D0F7BEC,SHA256=9534262DACEF62DE00C8E28E6F34B49E7D4E0C3774A18660663106D4EDDBDCCB,IMPHASH=00000000000000000000000000000000falsetrue