23542300x8000000000000000271636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:09.735{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1ADC1A1D7B9F5087FAE86378DD5FE,SHA256=4063839590A07E0714911A4AC67ABF343F87A9214D7AEEE0EBB027C798E05A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:09.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524F4B79C70D66F99BF16CEC4FEAD244,SHA256=80C4A198F4ADBCD1D8D367DE3D5CA79D37AB18769401F4906FA64044214226EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:06.600{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:10.750{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DDF7663B6692F5E580F1CFC969DF42,SHA256=CFD3F9186713F231901062093FC579B2B4A2FE0D75D02EFCE1E56E34316A5193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:10.059{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0034DE7FED972519A2800FE8ECE469,SHA256=B89C2864E97EC2B40B369768D50C0AFE72B7F655E3D15AD50F5658B7AF8797D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:11.766{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19595C222BAE9134B65B2CFC287F4AC0,SHA256=686D42B0F27A32C900B17E2271378E1D26CA90997BD5C24046E61AD793D0EA59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:08.215{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:11.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EC97337E6E8DDDF67EA750E9AA7E04,SHA256=B090BBEE0E9836D526485C1966CC9A23613D3CBE210A1CC4F48191B8BCDD279B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.781{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC05470DF67EFA3932655C073CA0A703,SHA256=86965AAA8EA50C22B9B530DF44978DDE6CCF1819DA2A2E4DBC156776C8F8EE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:12.075{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8784FD9C9FE20F524F8207DFD01B51DF,SHA256=2F6C1473532AD7D7888ED3AF9B744B72DCEFE581B7865347967A608B2F311330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.047{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:12.048{80A11F3A-69EC-6127-EB03-00000000F201}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.797{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE8F1196AB48A6793B693771C58ADC6,SHA256=CC2060F1A2EC1F0B8496D7BE76D5897483770AEA49CB0F29DF90219BDCDD6BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:13.091{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F25B2DAACC123A1D19B6D3480175E0D,SHA256=767C95D919CEA0EF7AE575CEFF9BE8C82F29B601FC3D56259478223E17F0B121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.766{80A11F3A-69ED-6127-ED03-00000000F201}46362472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.563{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.564{80A11F3A-69ED-6127-ED03-00000000F201}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71D6065971BA0CB8453C4873D5CB098,SHA256=7C4957D10FCE6B6AEACD0B2FBFFE53F2AE4B194CDC515D56ADE21117E3BCDAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.079{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EE01EBDB892D57CB574C7C619CE445,SHA256=071AA66760447A48BAA94BDB4C9A54E57E1410D60C60FBB69DD13E3EFEEB2952,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.063{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:13.064{80A11F3A-69ED-6127-EC03-00000000F201}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253B1C92B428AEE945991DCF18953C22,SHA256=DF39D830E7F0E3C73EAE7899E1C2A735C1D7592A9F2D9D9401717B3EE41D5D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:14.122{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40DD543A352482673196830FFAD64AD,SHA256=A33605625ADCF13E0CA86F9B355B59CF0BC0A5B1CEB2B5288654DD305E6A68CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.641{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71D6065971BA0CB8453C4873D5CB098,SHA256=7C4957D10FCE6B6AEACD0B2FBFFE53F2AE4B194CDC515D56ADE21117E3BCDAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:11.772{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000271673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.054{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58098-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000271672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:14.053{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58098-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x8000000000000000271671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:15.828{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0253B633F6CA2F203D6F4C777FBFDFC9,SHA256=F907072CB138854ECA19BFDBB6E8D906A9E5733B3F485DBA81A2735EAADF88CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:15.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3809FEA2FC63DCF746AB22D7240CEDCE,SHA256=0B2E6E253E3215A90E93E12F67BC37F9D8412C304A4CCCC785BA4D1829E84D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CD9D3001A006ADDEAFA5E30C0F6367,SHA256=BFBA4937F5D6D48F68BECAA0DCBE8580A5684A501DE054E62222E9F76A4CAED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:16.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8919B793BB0A8B4DE9CB30C2BD35DDC2,SHA256=56CCEE7792A1E0100A72D148574008E5B40A19087492415F51DC84D3307A5C18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.797{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:16.798{80A11F3A-69F0-6127-EE03-00000000F201}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.844{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331A0BC3B9F0C759B3E98ADA9B1EB3BB,SHA256=758FC2895A8EC27598F317600E1CBDAED2F5B3D9D0832DC91DCBF4D627596F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:14.059{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:17.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A508852F9B6542B5DAAFBA1A1CD70AF,SHA256=575F9284A7A5EFA51A926FCB3E0617490807810206FC17D59562C538A10E4BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.813{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F59B2B300546EB7648553A083B9E8A,SHA256=23FF54AFE720B5A1DA6FD800C53B052CB99F56EFA2F78FE72972F4DB17A44BEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.797{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.798{80A11F3A-69F1-6127-F003-00000000F201}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.531{80A11F3A-69F1-6127-EF03-00000000F201}32601000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.297{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.298{80A11F3A-69F1-6127-EF03-00000000F201}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.063{80A11F3A-69F0-6127-EE03-00000000F201}38045076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:18.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579FCCFF4AAC912FC7BE6771BCEC3248,SHA256=65A89773A5BE58E9E6F3E790C86E4AD5389BAB4861D28018BD6C098451635AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:18.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44257D1185245AF826FB7D7E16DD808D,SHA256=7CE1DFA7A900EBB0F3D5E5441CEC853481C23A369B5DB8F272C762574A78C426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:18.063{80A11F3A-69F1-6127-F003-00000000F201}20965096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.860{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8DF1C9BC6117F3E5C4DBC21B525BD5,SHA256=C16F9AB1707C4BC19C80A451E62E24C770C177DEE435F096F5949FC3041092BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:19.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D174DA8261F91D297AAD7FFD0734611,SHA256=2BEE2DE4C953BF382DD8E429F296D0F2EEBB4BE7B744BA321A072CCB2D86DD38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.516{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:19.517{80A11F3A-69F3-6127-F103-00000000F201}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:20.875{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80E8F566BA7B8912C6B4E4F3EB0A2A7,SHA256=74448CD5AB1C241E7263CE9E381E69C84BB75C8B0EEB00153E09DEAD7015496D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:20.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694901F67A8D9AD33619570D8B12BACF,SHA256=A967468535A76EC00157D34FD94FB08C7D2E9EACF03D4DD73F4EDA909A2815B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:20.578{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1A0E8BA6E2B7F3321BFCA710A6D814E,SHA256=C3FC856D4F88C37D452D0DABB76DE64E3FF6C4A424F1196394D83932AA5940FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:17.787{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:21.891{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F2EC5F1A5E4C0CB10B4978EF8A039D,SHA256=E4EF4892B655FD00BF34C13FA10FDFC6CD19EF0CA576392DEBFA4EABD0BD6617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:19.090{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:21.169{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018602F0EB43FD14DF44FBD8981961B8,SHA256=9FC5DA7F831A4300274CD2B419937431D09BB0DAF2592A2BF47D71C625D75D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:22.906{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AED429947949D48DC626D46DF9474E,SHA256=E2FF7DD04EC83EF6B4474CF096AA39DCBDCE4E6EB807FC0FC293789779D85B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:22.247{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0C1DDE66C794630160365D3749F0B7,SHA256=2F8C73965B698CD21C5D4568EC0A64B90BE15E012FE784DB97B2B9977F02F131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:23.922{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D46CAA111B1DBEB5466DA88641AEC0C,SHA256=C5E4495C433D3514638F993B894B0529769E3FEE1379DE41ADB1928D2CC73083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:23.262{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0552779145A4F37B85C114E7347C0A06,SHA256=562E8A718B0EA8D33E8F97A7FF5ACA8F9E72582BECA8EF40CFB5D9A34784EC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:24.922{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DEFA84A022AEBCF0496432A3813B9F,SHA256=066DE017DA710445D6AE2D0D95C6542BE1CF3A34DE135CC62A72453B6E8EBAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:24.356{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958F97B06620A3E105789CE9086F0CB1,SHA256=7AF8AC97A0CC45F7569C5D6A949A0B8C76C71D8E592A36C6636494E8DD33B539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:25.938{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3A08A829B42DC874134FBE899E90A5,SHA256=2EA4A555F2B11C2A66880A316BAB98267A9C6158B3E1FF7473E897C5BCB927AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:25.372{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E44DCFC1CF76F3F8DE000CD88EC9D86,SHA256=9D7520B825F65A3A970575500BE61DEF9AFA70311AD8956C2229D3625FC301CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:26.953{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83D1849C3BA1D8E500D8306A40E1B30,SHA256=70734C293A6D64D4A09888FD3E1D0C20AF6164B1F14262ED088EA8C9CAB5DB51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:24.107{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:26.387{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBE46E79E5F097DCF910FE4A58F6A41,SHA256=C43F331E89D1F1037268B7ADA1875D1E2F62AD34A779C26F86F23980CF8431EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:23.819{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:27.969{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74FE06F60E36214C7AEC1F4E0EADF76,SHA256=6CC7431E7EC319D14E445FC2367F1C0A1CE4FF5CE584254B325211978C968452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:27.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196BBA9AAB1E00F37868B6F11D8953CD,SHA256=D8F257180B513290D306C25067DE06EACEC0C550CE6251069F27E42FF4499FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:28.984{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C795C71C58EB121C873420AEACEE392B,SHA256=D58324E237C7262FBEB56DFBB233A1B0C84B13C725DD1071E30A3328FF1FB759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:28.419{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB13E5D7FDF870337D3CAB5953BA9EF,SHA256=90B1F08C9C1CAFC72D22814EA86A357ABC3D779D4D43EB2E894C2867018D54DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:29.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5878D9B88DC8DA951E5EE668FAA7C,SHA256=413F13690FDD6B442A02B1EE943393C5124376F2A5D3B84A5ADC97E080C993B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:30.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB06C9592174041CF6510CECA6DA89E,SHA256=B844E26C40333CF62A8218E49EAF59DFD4FC343876C220C72E803B456E1D02B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:30.000{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192CB51541F4A97049B887553A42E8C2,SHA256=E70A121BE9DCAE3C4348FD4DC41202A938C4D911A06BC78B08EE210EA2E4844D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:29.153{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:31.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBE99805D8D8F66CA8A43842FE36123,SHA256=F3ED489300808EFBCA0CB1F76FF44363A33CB5C37A4FDDD10743E52CF4D13B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:29.569{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:31.016{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A521496A986195DE03C80A7AF9C838,SHA256=C1799D88173193C80E7D095183D7054001180A25F9E8A427E4DF96E0E2D3F91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:32.465{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F034CA97FED58E7894EE4E083CFAE7,SHA256=4810C260E5FE53A3905FF974BA2489B95E43855DCE579297455730678D6A61BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:32.016{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485898EFA44FA81E12189C85E62F521D,SHA256=04D18C233B3F85EFAE78C5359D559A892D4EDE151A24F10715D1A755023E2CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:33.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B492ABE0CE0E5D53787335198DDD3275,SHA256=E0029AE6E0E5A4855202474CDA14BE1BF0F14B9D1BB7CA51FEB525D7A6EB7A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:33.032{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31D0FE0269A7B35B1CDC672A7116E86,SHA256=145B09BFEE06206715F2499F5E210507CFD03BCE779EDF220A0594CCB5C74370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:34.481{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C2C0B9CEC22A249E579F3F0B2AAA24,SHA256=299601E9D51746DDADA04DDF390F3DE0D211869F4736FFBD28E1F3DBDD2277BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:34.047{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61408FB23820B10286BDAE9B4A1DED45,SHA256=029ED69D7E2B0E33DD88E7B6F9047ADE1E802FA3B0F8AC94BA4A123B006AF0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.750{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-111MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.514{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704EDC7CF31AF58906D09124783BE2CA,SHA256=A8846D265CBCB3A35EC6F0D614B74DCD54747F48B1E2DFBA23ECA268128C89B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:35.063{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0708C22474104C6BAB28919A39A2252,SHA256=64BA7EE16BBAD883BD00D95F74DD5DDC78E047B932F3332F830404092393430F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:36.749{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:36.514{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CA7E2E0B6AD0CD48FA6DE2E4F7259B,SHA256=259A315F30DB7A9AB592922CE1F9F039BFD8EBC4B6404FDB7786D1C7163265EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:36.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F5FBBA45805F5C663D36B30D7D6121,SHA256=624D6D7D149034507DD1FA7242B04A585663C992E53CCC229A96AA46DE74CDE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:35.123{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:37.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DDF03C3B4A783BC696BD38F1A7CC2E,SHA256=E61012A5D6A588757C747C49AAB3826827704DF8DABCF97E95173D30FFE71464,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:34.725{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:37.078{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA54183EFC6C64D762ECF2D57A0EE1D,SHA256=632DECCF04A90F5D7AC9D5228DE67D4E75E69B2CDC5D817BB7A0FCFB584D720D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:38.528{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6E92A09132C5CAF6773C5E8A004037,SHA256=3C22AB9AB4B92212F3ECAB7B5AB6AF29FC336330402D33882ECB7E1B34372E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:38.094{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12925719806EC015512AAED4E1DAAB1F,SHA256=E52D44CD0E3E63756CB87C6BDD7C3C02EDD7D58D04B784FB563A391A9645BBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:39.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E501A832D60E886A53B3E06A84BF09CD,SHA256=EDAB2D925B385739C33833DA3D8B1AFDEF58EB7FF0FB1B25A00FA089B7A408F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:39.109{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EECB45A549BC098749A621541E5C852,SHA256=313776B5E6D36EDB24B8FE67C22FBE30BFF3E254ABDA96B5777C4D5EE673B1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:40.606{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAA6A473C0D076226D4F8DB64CB41F2,SHA256=C2A0D3C4EE29770AF6188FEA7268B886921773AD8464D7308635C90E59C93B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:40.125{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77BBB92A3E95CFD8B8B6ACBC7F70F3C,SHA256=0EFD29CFD60E1A2DF09EE60018F53EF8103B6C06605D7B35318C1F576EE68669,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:40.094{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a63-0x75e29bba) 23542300x8000000000000000230986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:41.669{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C24AB0D28A3D412E8F578DA575D667F,SHA256=B63A2023AA35B42DEE40D626B50A647F1E53DF4E748EB618416191411BA7F2B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:39.772{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:41.141{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4F07CBF8674A4A2C64769AAFF8D589,SHA256=E91B10132F9351096A0D44A9A500FA742E2DC3E3FBBF66DE790E0F1A31E395F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:40.185{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:42.684{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73928ACBA93CF88FE611FE6DAD24C2FA,SHA256=E99DE204B72C9157765771C84C8842B1F3881A9A47310FFA9CD2E5F8397C3E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:42.156{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2A0C58EA293A5B79469CD924569902,SHA256=DA92FF204F428032BFCB4A69E4E81C167A8A6DDAF43D91790DE0944693E5D974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:43.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683CC7FCE1464A45145FD8B9DD307EF8,SHA256=E58E203CF5B02B083617327386D43FE4D965A923CCC70F7BE0741232694EF63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:43.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0A626DE11EF85DF26BCA52C197D7AF,SHA256=CA660A95D77DB700CBAD176655143D4541CF97FD75C0CB0D213D5278862E4A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:43.419{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB161ACB1DC396B9FA772F4748C48BC8,SHA256=3E9BA90C006A46C6B041476A6B7AA2B1F31C00E0349DAD37322DFA6A51009D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:44.731{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60072C865FF7948229FA0DAD1E220B58,SHA256=50336ADEF14CF4B3B71BE1CC3674F46F1AB103B87A61D585A01F812BE74D22FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:44.172{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E803C9973A97E77EE0FCB753E7795081,SHA256=60F696DB2B9C50EDA716A8BC4503365CA64B298FCEE3EB257BD5AA6EF623E05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:45.747{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEDC28FB24A95F18F2966743B0382AA,SHA256=6F54AC11F919447A99F56EBE3FFA478462C8435858FB85982B9FDBEB8E9B8C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.203{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEF138835A4D677905AA789C85F0A2F,SHA256=0FA3383E6EFD950F57CC84E6ED4F6E041532DFA85D2BC2425E0178C71BB6CCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.141{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DEE9E1769CBF61135D0EEFACC81ABE67,SHA256=6CD13F986E620787370CE11057C5AA645EDD22BC1749F23E73CAA86A5FFB0D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:46.796{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4D2AE0FE2FE2050C94E571A8E263FC,SHA256=FA4C80652232F0D4A21ED3E52A825B17F61F3D8E3546A1C350D618FDB3489623,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000271756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696ff1) 13241300x8000000000000000271755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x1786d82a) 13241300x8000000000000000271754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0x794b402a) 13241300x8000000000000000271753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6b-0xdb0fa82a) 13241300x8000000000000000271752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000271751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00696ff1) 13241300x8000000000000000271750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d79a5b-0x1786d82a) 13241300x8000000000000000271749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79a63-0x794b402a) 13241300x8000000000000000271748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:16:46.656{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d79a6b-0xdb0fa82a) 23542300x8000000000000000271747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:46.219{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41727434564186227FC72D62805FD41,SHA256=75FEA50661E8FE82ACE8072EDE532BED7B35745A0D87455FEC68AE9EC35903D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:47.811{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CD93BC88F320CA13CBC70D85C8435F,SHA256=F1DC14AD74810B2BCD0ADBCD7F511B4F1CB0E48442E5D05B729033BEEF0A85AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:45.631{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:47.250{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D216E81B8394206AF1BED9890F12D90,SHA256=71E6667F83B2E6DDA5ABC6FBD0FF0AC613B06A50A24701CC1333CD8849C72FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:48.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C952622744F316EEA0BDB457BAD9F,SHA256=76823E40FEF559DE87F6EC6B1C16DC3BF6C1CCC97AA102ECE4C870EE81C1D24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:48.266{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3843E074E7438EEC4AA98E6CDF59179,SHA256=DC238590EC9F1E94897C1E699538736D91116BE3EC507D2745A89B366D9C6081,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000230995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:45.216{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000230997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:49.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9C7BC0B46A69F318B4E4FBD565D7C7,SHA256=DE3A6627DA55655CFA2DD683BB9D7AC15E1B94068ADF3C43282AC21E92A63651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.500{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.281{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9F007C72F319D75718732C6BC79FCB,SHA256=8796A56AEA0DD1F85221E51F8FA2AC2D42A10C5A8466445D706F4D977E0B2892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:50.921{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80099D162311ADDB2FDDEC061C21952A,SHA256=226E2C452DCEA473F101FA413FFE98936ED9D61E670B9F92476BE846E645F411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:49.053{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000271763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:50.312{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6F9DCC05AB8D9457D88E04D09A2750,SHA256=CC65D4DB76C8262A57907BBFEDBB581F3675F255DA2F57A40541768AF5D41F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000230999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:51.921{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2969983A210C8E5E006ADDEE3AEC83E8,SHA256=D11385A8545C2C821ACDDE51F2018616815C0B6516C9E367085B914D7C3BE802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:51.312{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77365C85535FE251D4B41FC84BC09C2B,SHA256=242FF12431E4C93E375D96524CFFBFA9AF27FF123DB6944C7CD081EFEF91DCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:52.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71E6F99AF1E555864D21190D5F0B766,SHA256=60C07726202A8FB6423CB9DDE6C7FD0D4253730F2D8171689CB1C9A5915EEF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:52.912{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-111MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:50.787{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:52.344{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F87180B4750A46E13CDFF58F888CC69,SHA256=C966C614BE7FFD94CD853E2A73BCF2B8C6DF57815D580FE2DEE868E0D526A8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:53.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5B7B11E4D842B0BC03455DDFCE1C05,SHA256=513A125B5D1675E732801FD3AE889C2C7ED958CD520C2092E8C49330B7870542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.930{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5BB78DD10AB5462E13732503E3B74F1,SHA256=9EF9B1B57933B316C99FC63E0183097E80398493F35107174CAD8E79D6A17570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.930{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DADAF3B356742E7845BD6D4D203C1DA5,SHA256=92E747718403BAAC3EF952FE4AB7E49BEFFE8ACDDC8C725D3BAB3FB15E576EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.913{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.893{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.815{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.690{80A11F3A-4F17-6127-1300-00000000F201}9881388C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:53.347{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D3170BB99B3B23465103EB54434552,SHA256=A6BA0D435C6B1400398D568A159C3A7254605D90AC0B1189209410198BED9E22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:51.046{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF523D2C711A61B6C98C9241E354109E,SHA256=E8EFDB8049DC189A3D1A4E0856C8EDD36D66100108308D469ABF84108ADFA657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.714{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.714{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.699{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F80-6127-8000-00000000F201}2204644C:\Windows\system32\csrss.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.683{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A16-6127-F203-00000000F201}704C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:54.352{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589A956985B01FF43ED57FAB003483FE,SHA256=71A06CD92BD617B5058E34184CD39FAE282DB03BB012A90FA9B6F083A514D598,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.980{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.985{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000271788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70DF423E45663B54631C6C5C4E8F63F7,SHA256=8531A5B533EA1B948F386D2E7A3F98884FA90DBCDCF390E2D710752BDD0319C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.683{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F874CE492B314893F4A56D3845EA5453,SHA256=5346B829985E7894F188AE83B9AE25EADD8F1623EDD86A77B27E6B8371693BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F06E18EB4210CF192511278F019DD00,SHA256=12569CDB83E2D199E0D1BD75D3181CEC0CFA3DEAE5221FB2C142C0FD8B83C43D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.671{D371C250-6A17-6127-B903-00000000F301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000231016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:54.999{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.000{D371C250-6A17-6127-B803-00000000F301}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:55.168{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E5BB78DD10AB5462E13732503E3B74F1,SHA256=9EF9B1B57933B316C99FC63E0183097E80398493F35107174CAD8E79D6A17570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.996{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70DF423E45663B54631C6C5C4E8F63F7,SHA256=8531A5B533EA1B948F386D2E7A3F98884FA90DBCDCF390E2D710752BDD0319C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.355{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34A04F93F980626121557F94F6A417A,SHA256=17E307C192A6D0A373332F0C0D23604DE64B396280922E45AE04A3C81C7BE431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.467{D371C250-6A18-6127-BA03-00000000F301}27001532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.374{D371C250-4F16-6127-2100-00000000F301}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.342{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.344{D371C250-6A18-6127-BA03-00000000F301}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1566B40EDF2E7482D11CFAED7C0037E6,SHA256=23D25FCF94BA789E841E09559B3F724134884B5EA16BE693249951701666BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3956BCEC829848DDA4D5C3B88C9E71BD,SHA256=82C9BECB4DF06898A47108D214C81F0D34B4BF0B2BC200B2042DBE9149FCB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.139{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9B679A925DA76AB2F79092EF699F68,SHA256=1E82F5D620FB636E97F7117ADBEF4E95E38D7A5C5038C4E2DA65DEC3D35CC06E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.011{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.011{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A17-6127-F303-00000000F201}1568C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:57.371{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890D3A541351444FABB907F2B6323A1,SHA256=D58F83CAD877919060B3C88510A88652424DF941777B0E799BE8C80CAE75ACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:57.342{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1566B40EDF2E7482D11CFAED7C0037E6,SHA256=23D25FCF94BA789E841E09559B3F724134884B5EA16BE693249951701666BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:57.155{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4805048E6976373D0F06D5517C257271,SHA256=9463BCEDD847A31DFF983EBA13F34F50327777FBAD1983F0E38DDEC1B264286A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:56.767{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:58.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFD3B27E2973E69D35DE4CCD5FD0D42,SHA256=090D63974B8EC89C084C10E5AB57AA43EAC6F8E249377E0066AE0D902B838E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.717{D371C250-6A1A-6127-BB03-00000000F301}8403340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000231064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:55.327{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000231063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F14-6127-0500-00000000F301}412528C:\Windows\system32\csrss.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.514{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.515{D371C250-6A1A-6127-BB03-00000000F301}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:58.155{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0A3787E50E97457E9B6A0E55462D5D,SHA256=FD904B78D0A1149342DC0A1722843FCD0539B0724B530FF985E458BA1EBBD3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:16:59.386{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4179C61557FCA27557B4AE54D2D17595,SHA256=DEA77763158A80E134BE0BA37759C07967ED188661677D08A04D4B4F029D2405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.827{D371C250-6A1B-6127-BC03-00000000F301}1722408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.655{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.657{D371C250-6A1B-6127-BC03-00000000F301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:56.109{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.561{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B49FB646555A5B384AD697D8EA15AB94,SHA256=81710E512D2B85AACCAE66170D9D0E9887353BD69490816855F456C067A3484D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:16:59.171{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E450C0DC5FA0C9A4F936BD6A1C1326C,SHA256=14850E18FE0AE7D18CD9194359818501A12637295E8A021C99E9BA23BB4FB718,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000271806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:00.433{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-08-26 10:17:00.433 23542300x8000000000000000271805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:00.402{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1350CC684E97D9B89F4C0C22CCAC735,SHA256=F1C43F950A350B2A838D67EB88DB769423C9011B47DA234A2E887F1B826FBF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F27C289047E0365AD7D5D4067E5FDE55,SHA256=91DF3E5BF0CCB3FBBB7A0D693EA13905B5657B638DDCDDB5F5782FDE59EE464C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.530{D371C250-6A1C-6127-BD03-00000000F301}23323660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F14-6127-0500-00000000F301}412428C:\Windows\system32\csrss.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.280{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.281{D371C250-6A1C-6127-BD03-00000000F301}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:00.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A9CD163F4D35115073F7DDB267E0D2,SHA256=9263D7353A7FC59F452B3158E22699839591980BD126B4AA33EA71BBB515C4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:01.449{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C1C1A9673477271DC657141AEB5A6B,SHA256=531A4955E9B65409D4D1C783D3423E54B0FFBEEBC703DF36C05EFFB04810AC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:01.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872587B160C62EB2A8FDA0184EC037F3,SHA256=A3CEB902B2273526C5E49AF226EE05EB2694979D7B439F545111A4212500DADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:02.496{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418658A4B3DEAB166C57A4B86E4BBBC9,SHA256=CFFB696A1AF8A79558ACE7C9AAE6F43EBA1F04D627A5314010C29587A58027A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D20A82DD527A82455002C0A548C954E,SHA256=3EA682DCEAF2F85486FC7619776A94DBBD67ADBD7DD509EDF67193EDB4C7B7C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.092{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.093{D371C250-6A1E-6127-BE03-00000000F301}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:03.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E933A63F71B5D25B2270D03EE31B94,SHA256=6A1790AC5EEC0649BA148D74901CA22AF077957D4367AD208F8ED23A1D63AE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:03.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3A1EAA6FFAF94EE4B783FDC53D1B5F4,SHA256=5C6D1AF00E1BAD72758630AE422980EF582EFD9CCA9125C50EF99E73DE58224F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:03.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDD4EC31CD60B5C55C2665E19249961,SHA256=2220142B27369A5502DD347AF3076AEEF21F18EF9736E667ECD30395E001A18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:04.559{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019F4178D88B8D771F524BE3AC6260B3,SHA256=D083E6F4E12CF7566CDE3880EC4E2A3B7F85E900F21A0C1C75C0C464002E1B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:02.031{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:04.186{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E39189AC2CFCC4460491A893327B51,SHA256=F6DE5B9EE1EAF7647F707F6622ED574ECC5E5D791C895695C7495E3520626966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:05.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A5918DFED48623231A0ABAEA39B167,SHA256=9E2407BEAD772ECA088C2F14926D2772F542C09577BE0AAE0901810D85D4CC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:05.202{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B5FD8DABA6EE2D07F234F3C9F69DBF,SHA256=EF6C3FE4D0C620C3341566B3C7FCE793F1FA42CE44EB2131094F1A5E36CEC817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:02.705{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:06.622{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A945EC0EB3BBEB4817186AB9E9FE67,SHA256=BA768C50124077C247497CD8E12CDAEA73F62548AB82A581A4DEE6F448F3419C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:06.249{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B68ACAD137F21136450584CAB646AF,SHA256=2DB79A3653294E4F51651177863305D37703FC3A400EA063FDAF10BFFC9C9B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:07.638{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CC52611E25D205C4F27AA56990BF0,SHA256=864B88A7C7338DB239F7339C7CA54A154017F6BB258A57C6EDF4DB211EC3733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:07.249{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034CB109C0D5850B95AC9A03954A139A,SHA256=F88ED1C334C65B64529B1A952E47213B0CD9FE838F30C9A8911C590DF014ADA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:08.653{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB11D9907877D9BD4C788472F1DCA7A,SHA256=EB021E077FBBA364CC4632BD45C274BC46781AB130B3B35B089FF186DAFED3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:08.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718BA3FA347A8E9954169DB585B2B8F3,SHA256=864C2E25E88F255E9817A5A561EAE8630269AC312EF7822B5A44CDD48A4092A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:07.706{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:09.669{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1006B2929BF949559D5D6DE9ECBA65,SHA256=0999A584BE2EA196EACE67E4B34F32B610BA204FF559032EB8C2BEA14669E0F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:07.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:09.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6481D15C078DEE722E5B47EDCF5E75,SHA256=F82B65E48A1B4D359714262A10D290B1B58D0B6E32A708C82C047045D28E5037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:10.684{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F82F28D1FBF3BD33A9E9895E96EF900,SHA256=1D66CBD6714085940E63BB023F23FFC4F2202BCA9896E324DD52D27E52FA5719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:10.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB36EF8A9D1C699493CF773397879612,SHA256=A29FFE950172A4875BAD1C7BAA901B3E4FF790183A986FFE5EC373DB0BE31F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.919{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.920{80A11F3A-6A27-6127-F403-00000000F201}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:11.716{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AC1C9DBDDD2AE6F89F90AAD9A642EC,SHA256=E01CA929AFE1236BE3251C595F2757AF0352D2B97BE69815D878824224A38270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:11.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB370B1CD48E37E32C635F6FFBAE6BF7,SHA256=206B8BD6F9493980709AF799F518AF20925F129739348368E8EA4B3366C2C37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EA3126FE14F92413EB8EAEECA980E6,SHA256=2F6AFA7C8584DE71163F63D5B7DDD8E0184DF709DAD0FBE66C92A3C9CA478ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.934{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC0DC81796F0B9366C70282C2FF1AC7,SHA256=F1FEC37E732631F158A4C334A472902AA4FDEDAE615CB0269B16C9B62C04E118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2110291F0D4A31C36F0DF8E393491E,SHA256=CB437E239B6CCCD59779755FC5F02EEAFEA02D300E2C7F16408D13CDCB32F2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:12.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA46F94CAB2AAF61FEDF255022D32788,SHA256=8BE6BD5A96694457FF6185FF783CD190C4D3624764FD86A3B05BF2363EF8FEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.950{80A11F3A-6A29-6127-F603-00000000F201}42404344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.731{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EFCA1A56492F1A963945FB3FA2BDEB,SHA256=5A6F1FAB52BBDBA3AEA35E12E182FC8A2953B29CCC092B78BB011C40B41C2275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:13.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE52AD38C260A2576BA7BED9C384F8A6,SHA256=830289084CFCC0032B91554B84763262304EAE6ABF9BA2CD9FF83BBEDD5B8491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.669{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.670{80A11F3A-6A29-6127-F603-00000000F201}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F15-6127-0500-00000000F201}412528C:\Windows\system32\csrss.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.044{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:13.046{80A11F3A-6A29-6127-F503-00000000F201}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000271850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833E3509959EC6F3C3EF6221A2B820D4,SHA256=0BF88BF911FAA9DB068F6E91DFEF1EA232E6940AE6233E2144B4C782A5A682C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:14.311{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ACD6C1EB1C44A83B2F7DBCBA24D2DC,SHA256=29E3412ED57143E1864CAC08C099FDE62C4E2D29B71279197358393588DBD5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7EA3126FE14F92413EB8EAEECA980E6,SHA256=2F6AFA7C8584DE71163F63D5B7DDD8E0184DF709DAD0FBE66C92A3C9CA478ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:15.841{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B533185CA3F56C6ECEF414427BE941B5,SHA256=70E61E630C0B77416CB5A753AA602D53554995018B2903798F267D0EB057C59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:15.312{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E7F1AA40BC3E25F98F8A830F61B0CA,SHA256=59685AF623F006D311141DC48AC17E6E1BC555E07C6238F8A66517B5317FA653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:15.606{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84393FC2176D2CC2335E622F4BFCA4EF,SHA256=9106ACCA2371EB411A0317BBAC48223EE358E9C88DC5BE61AA9434AA97D90C50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:12.769{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000231129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:12.187{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.841{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D35012C7A4A5B6BA5B5C71C6380FDE,SHA256=E4865C2EFFD24A0129BBB993A9251B4F7BD10F88817D6702365A5838FB22FE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:16.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F94489CA3A46B2D108D962FC6F7F23,SHA256=789553328C3F1F8C4EEE9703851CB6D8234B9224734E53B9A95AE443F0EA2C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.809{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.810{80A11F3A-6A2C-6127-F703-00000000F201}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000271855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.066{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58111-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x8000000000000000271854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:14.066{80A11F3A-4F27-6127-2400-00000000F201}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58111-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 10341000x8000000000000000271906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.934{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.935{80A11F3A-6A2D-6127-FA03-00000000F201}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924768C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.919{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000231132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:17.327{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50087766B981777238D895A63A0BA4D,SHA256=FBD2BD43609641E6BC9D8612AB5AD33B4ADCCFB465C61EDB637E167D851DE346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3960D3AE79D824ACB3CBFEB0D48F2D07,SHA256=B664E1986AE43E598CB0BD856AC662499A1F24858B91E67AE985B687F63DB18E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.700{80A11F3A-6A2D-6127-F903-00000000F201}47005088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.466{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.466{80A11F3A-4F82-6127-8A00-00000000F201}42124296C:\Windows\system32\taskhostw.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.450{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F15-6127-0500-00000000F201}412504C:\Windows\system32\csrss.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.310{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.311{80A11F3A-6A2D-6127-F903-00000000F201}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000271875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.247{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.231{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.231{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.107{80A11F3A-6A2C-6127-F703-00000000F201}11601120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F80-6127-8000-00000000F201}2204908C:\Windows\system32\csrss.exe{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:17.059{80A11F3A-4F83-6127-8F00-00000000F201}45922660C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000271865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:16.974{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe8.13Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\ad2.bat"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=0D634FDABB6046E5106293972FCBC968,SHA256=40BC229F0708E3608FDF9788E0DD7AC02DFB750D257F7F99CB95A1B3C6FCE9E9,IMPHASH=5962B5A92CD4E6C7B3EAFA149B008211{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000271910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.966{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91A918782CFFBC54644EA973B53AE01,SHA256=502753A1360F855F04310766B9BC14E5AF1ACF88324E28B12721588A64FA4A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.966{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4265C5F465B75C0EC9115E5C29B1E60F,SHA256=243607FEA8C122B5951C99EDF7CE036A5AC5C7A4F4123321BA36178E068DAE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:18.358{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE9A38B92A8E558F47B46872C736DEC,SHA256=CB4BAEF1D0DF2B9F8462972F36318242363AA7CB5A1E3B28F2F8881B88A66799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.247{80A11F3A-6A2D-6127-FA03-00000000F201}25961060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.200{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065AD014D211B7B9BC33635FD72C74CF,SHA256=6DA2B655DFB062315502C717A93103810F3090A088F68E3A96AC56C2C8254EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:19.374{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117CB59A0C3849015416D9A10AFD79B3,SHA256=4233E331179262C165FE91CB8CFBAE07AEDD807EBCAACE70CF4995538C13EDF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F29-6127-3100-00000000F201}27882428C:\Windows\system32\conhost.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.512{80A11F3A-4F27-6127-2900-00000000F201}29403704C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:19.513{80A11F3A-6A2F-6127-FB03-00000000F201}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-4F15-6127-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000231135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:20.420{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFBD076A825A03A3E236EBAEEF69B9A,SHA256=A71B0C47960524E6EDC124407DC5CC1EC971BDE979378EEE8B2D799CDF41F527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:20.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EC42042650775FE5D3060AFC5CC6943,SHA256=3DF61D17356A9C488AD70FB2B10AB895316A1F7789931C47EB4B1230E0B4675A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:18.612{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:20.012{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215424EF26FD055DBF38B487BCCBE72A,SHA256=6CBF8FC915C05751C944D8E5F9460CC9AA0501D185103FE487DB8D6F24D81AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:21.436{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC2C07864A0F7CA6E3ECFF3BE7010E,SHA256=5D725CEC825F5505CF7B5BD46EB12044BCB0BA9263337703A1C9000F467B5AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:21.028{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031F9A004DB9F701388CCBFF0BA25BA4,SHA256=85AA58E3AB5DF7295BF1EEEC9B33965357B689A7F357E19CDA0560A106640EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:18.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:22.467{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F080404C09B3153716A8A8D7FC66B486,SHA256=DC39A77DB0487906D63740D229EACA8C1C60BC2C1E3E175B4DEF4C4DFE9BFE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:22.059{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EDFF44E95A582D26F513A1186256B0,SHA256=BAAC4010E292D30972173251EE4DD72861B84489B364CFEF6B1DD5BCB0296023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:23.483{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239B6F0A3CED5ABD23FF49039C2EE8AF,SHA256=31376C39F7AC5D31A368AF89A1DBFC992589F8CE2FEDDF1C57EA037785827082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:23.075{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA0F618871505089AC0214DD8799C2C,SHA256=BBA4721B2B507DCD3871F994F03422617304E4050120CFE0DB98027AD1061643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:24.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635124B7F17A70D567F1C339E5B50559,SHA256=F86557CE4C37B458CC1E5513F514A3D7FF7D438066054627B1929C5F73ACA5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:24.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE606E90CAF156FB6174856C0CA0949,SHA256=880A403205885B9B7E70836A887EB85DB09A99E51577C90F3895705A383CA4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:25.530{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B261DF59B023B23E99FD8FD352FCA143,SHA256=815579044AC36A568E0FF01595023E328C16B64E81E7BF34740C3393372FB43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:25.122{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D51C1DE140EB1B11023D822A404665,SHA256=7588E5B04FF6B9C7B9E5EEC2701ABE43F491A4FBBE1807606291BE1CD153D870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:26.561{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7298D14096104547344BD6C88142060,SHA256=05F228990C9E8D3A5032ECCA3F31E34D7930CD750F1D05806C9CE14B67E04F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:24.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:26.137{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D76885AE69C905CA94B4AB9E55221C,SHA256=0316EF4A7EF73DFD81BB7BCA319BE73EA4BD253A9F9677C06896833221A9C3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:27.608{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1D7F5CA5B9D7E4B222587493A28AFE,SHA256=353C402302AAC0DAB5DDCBB530EEB2697581EA46DD2EDB6D3B03FB664A4D6B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.153{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23F07E6085DF16187B1E664F79C8D67,SHA256=A14CB6C77426F1E7FD13DC870994852CFADC58F3EDA045E62D82752185C24CBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:24.093{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:28.639{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A27A3733B3BE764F0E3C4871A88956F,SHA256=5D76B76C8E21371D1B0E656D4074A90E186919EC8B613DA83339531BBF7E91E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.872{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x8000000000000000271933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.856{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x8000000000000000271932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:28.856{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 10341000x8000000000000000271931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.262{80A11F3A-4F15-6127-0B00-00000000F201}6323276C:\Windows\system32\lsass.exe{80A11F3A-4F11-6127-0100-00000000F201}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000271930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.169{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610229308CEEC61DDF773814DF2EC21D,SHA256=A3AAF0B4644FC83622F12190C0FA511D260BC20C5507FDF28CAF61B91FF05188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:29.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D330C42963C6BBE1C3AF071BBEE885,SHA256=F1A3041B6E36C239E29075CF9AF20718F8E9F844A289E6F8815FC839FCCB9DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.835{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58116-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000271942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.835{80A11F3A-4F11-6127-0100-00000000F201}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58116-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x8000000000000000271941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.733{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local58115-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000271940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.733{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58115-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x8000000000000000271939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.725{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58114-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:27.725{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58114-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x8000000000000000271937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.247{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BE9D381645D287EC9BDC8CCD315F8E,SHA256=5270BCD17414AEA011650F71C877A62D96A234C10813C665A9630764083ABFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.247{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9444E3752944113903739045928E8A9B,SHA256=60C1061220F62DE5C12BA723E71F4C1EC025639F2055DC75493F384FBE362C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:29.200{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233DDCD80028BC6204510FDCD5CFFE15,SHA256=20AA0129DA13B0464E119C29EAA321B509A3E6134FEEF74FC9F2BB8F6DD107F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:30.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AEE26DDF82940D3B87E595A7005869,SHA256=02FB89561427173F85367CCA9E96E3D846490154F84D6442A69097BB45D3DC78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.458{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58119-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.458{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58119-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.445{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58118-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.444{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58118-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x8000000000000000271946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.426{80A11F3A-4F17-6127-0D00-00000000F201}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58117-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x8000000000000000271945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:28.426{80A11F3A-4F27-6127-2B00-00000000F201}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local58117-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x8000000000000000271944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:30.231{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA184283DCB5137F1F980E352503AB8,SHA256=768A6A4DA6FC49F803CB73AE9992919FAF9F8E18CC975ACE82AB32844F29D896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:31.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7331948D8CAD4938168EC77D1CBDF229,SHA256=0DAE2C30EDE5101DD747DE454A0998095781307140596D1E03AFEC5FBC8105D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:31.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBCA0B8C26B56E1757DC93635078D19,SHA256=6ADE98AE9343599CE6A1640CDADE7B8BAD5314EBCDB156362B02289ADFA41E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:29.140{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:32.702{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69227219D8BA42E56D9DA0F73A207FA5,SHA256=2920E9EA64884792188D0288F001D0CDD1DF3EF121F46EFE95BB9248447BA558,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:30.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000271953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:32.296{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362A0AFB4A0F13AB9E4E12EBAE735B12,SHA256=A4606BFE6C2921E5D5D5F92981F237B4CCA1DAADDB971F2EAE63519FFD0D85D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:32.106{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8A962529529F20B53803C8D44B61F80D,SHA256=E6A5B43783BFA13B631DED420AAD09CF98D4E54A983B9B8850FC9E1A0EF70AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:33.764{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A141D562AAE1EAD5BB8B719B4E457C3,SHA256=0086B513F2D18967D43ECDD543A69BFF067F03CA80DFA409A9C63816FFE2B478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:33.356{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFB91F4EF74BEA01F414A4BDCDA7988,SHA256=9877E73F696E8F59BC8132134B51D3BFDEC976E2B41EA277F1E1C71B4FC2F139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:34.764{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164C2BEC88C92CD8FE8825618923B147,SHA256=9D54AAA2430527ACB0033A2F0D1AE77AA48428AFBE13F10B7DEEFF3ABADC7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:34.387{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F829E5FCDC4E179A0B2C822907503F82,SHA256=A8AFF140D371222553FB6F18B398BC60F714EE09823A36DD42D061FCB919D3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:35.780{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9373DB6B47EAB04A1668D49443E0F162,SHA256=BA8A620AD30D2BE4F6D6BA8069E30C6676357D16D09CA6C7AB5068F8D6F44F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:35.419{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF8CE25C7B20D23899E99DB80BA1970,SHA256=F0123F7186582876DF23F2D2B7985F33AB5DA1E883B1C0C9261B0306956472DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:36.842{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E6A4352CDD7C9B900C112E59AC1E69,SHA256=3CCF0AA80CD19BC35187867594934015B34604516959EDC73ECACF57F9F940AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:36.481{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C19A35CADFBBDEE7752A3718C849ED,SHA256=C1B259144C812A44B51CCBBC1AEB024F440D8BA6300823EB4049599A2D20B72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:37.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FE49A89933E1CA89EAAF396DB68FDA,SHA256=8E2ADC1E1B9AB952FBE495FDA87DDDCBD40048577E92440E7D72289C56D92A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:37.528{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDA96E5C245E751BD4D796AAED5B010,SHA256=641A78A61B0B727768864232420DE959361F4406F7E42DA9C06D31F91361ED93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:35.046{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:37.266{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210826082145-112MD5=349E443D1E32FBAC73BEC404CC8444A6,SHA256=D87BB887B739A839236181862F39F1D70922201AA9CFAFE5C633779D011A14EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:38.700{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E50B1658B117411565EE0A034A3BC,SHA256=F70ADBEA98F3B04E7398F8E826A774975C8ED3C533E31578B9E414E084A72095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:38.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D837A35C73AA9C03DE807AF1B33A0B3,SHA256=99CA588627BB1EE776FD9EB099714F9761478462DAA9CC44FA3273C48D170F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:38.281{D371C250-4F16-6127-1D00-00000000F301}1920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210826082142-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:36.612{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:39.858{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E0204D195E3335A0962FB62C66462F,SHA256=9497DF1ADA5B49C31D482248DDCAE929DB463D51B69B2A6865A9CD43D44E7E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:39.715{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC3865AA3A359D4E422DF87E16E92FD,SHA256=F6C99B2F5DA47F2A45297EA377AD9929CEF3D62BCC030E893AD3FEC18C01FBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:39.122{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=059C733B0EE6182D683EE7E147F163B1,SHA256=6C74ACC1BA0CEB3EF59FE0594E1C1428BC778F07934E31419E91FAFF1719849C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:40.874{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901DA2F11FE6AB3530E5D4172B6E0535,SHA256=8B7D1B998C3B7221849BC827C0F753BCDB21EADA9D6F8BB173BEEB562AECE7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.747{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49501F8FF6E04162FC8A4BFA141B0B1,SHA256=58FE119109966A53A0E33A68E061B982F670FF6A55DA69C8CF2F160CA43045CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.341{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B473D6A428109CBF693C56DEBE42EA9B,SHA256=7CBCD7760A40E2C6298FE33EC6570D793E37229E470178C2FFFE27C2C530F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.341{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BE9D381645D287EC9BDC8CCD315F8E,SHA256=5270BCD17414AEA011650F71C877A62D96A234C10813C665A9630764083ABFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:41.874{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4E5339191C8395ECE08652B168F15F,SHA256=491D08F1330A0823CAF81FCE7B140C3B4AE1455DE46FCED4DC986AE3792B33EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:41.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9052BC0C1AA24518BD69E58587D04F0,SHA256=4B83C497CA56B1B33F95158D82B5149B87FCBBC202B4C7D494E16DA0E055390E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000271967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-26 10:17:41.325{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79a63-0x9a61bace) 23542300x8000000000000000231164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:42.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52E59F5B24DA182C8A7E7C1D8EC5C92,SHA256=CF4394BAD3D9EA30239CF041E8B7EDA72F844120450BDA95B0022880E553D2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:42.778{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D17EA7B65EDA0021F486E2F6419110,SHA256=1801EBFB8B40FCF401ABD671DA3CA3A1D838146529BF09598A14C5365C16F5E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:40.125{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000271969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:40.877{80A11F3A-4F17-6127-1200-00000000F201}380C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-391.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000231166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:43.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91721F641F1AA65379728DBB41DCE0DA,SHA256=8535D590B66FE88D0C958529972289509C927A286B21A4497DE497F4DDBCA7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:43.809{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2083BD067953D00EEF639ACF6E5F8C,SHA256=FB990F92EA5CA2C1646ADB001DC54FFDE4E2A1502924FBC43382982226F4E791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:43.421{D371C250-4F15-6127-1200-00000000F301}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1615A0DFA22E93B9645ABD2DC39EC11B,SHA256=5B0F2E70953FBED0F72B2104842C7814DBF0EFC02BB5D9081583D021B3463CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:41.643{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:44.889{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1375687EB56884C91A48BF1935698194,SHA256=62230E9CB8381E14C0E06D0CD7C5CAB47F7855D8024BDBC021F55E72E410FF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:44.825{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23208B8AD1A9C81D5D585A0488F6BF14,SHA256=BD17D11CAAD9435173D001E7F5D4574144354A1D303B3D11CA8BCEF3434CE157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:45.905{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18A26EB1552FF3C975F3CC4FF163CB0,SHA256=AE24330FAACB1E44843299FECF0B239CBFDECF347DC7485F571A2DAF2D50314F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3626E454BAB3F6859736D13AE2B92C1F,SHA256=8A422B5EF7F889F7F3B1D1E3272FE1AD230C140F9042AC9A1BD1FF0B1A178708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000271975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.606{80A11F3A-4F17-6127-0D00-00000000F201}9004800C:\Windows\system32\svchost.exe{80A11F3A-4F18-6127-1600-00000000F201}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000271974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:45.153{80A11F3A-4F17-6127-1100-00000000F201}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA2CED676F1CBD122F30744675DC5F88,SHA256=5BFFBDB9DD644E04F27509902837F688FD3FFD3561BD150FFC44D5C9B8AB4A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:46.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A401414A5E65C112A1BFA74D43E7B9B,SHA256=8F2F37824E2326DDED1719E659273A8679DE9B590C693A498ECEF756CFDAED81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.840{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402F3CA6A985F287A47F013D974E8941,SHA256=C8820284B05A7D402EAE42B59ED85CC37B8C4F5BBEF478617C033C0EF8AE3086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.137{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=BC9AA318991A7AA2975D2674C842EA54,SHA256=C258F69FC316048FE15D5C07674DAAFBA5B520646A52CD99B18146FA9048D3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:47.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46864DEC38700B9709A2D6865E52A76,SHA256=F60233DF9F2B1F167BE0C7CF6DAD342EAF24A29274ECA902A532A100381199BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:47.856{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C7D39BFDEF7863B7EAA77CDF4AA220,SHA256=83C8DC4C8A68FC0FD296E8694CE78E4169EB7C236AD5DCEF98CD20E235E9F9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:48.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA062D8FCCFB9B442EECA34B19CE2D1,SHA256=C7E7BA7A8CE709C62C659177353CB71239CB886CA1FBAB63FE0BD80B28C4A577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000271980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:48.872{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970F09E9E568352E629442C83671958A,SHA256=CAA4DEF60FAB14A04AFF43A8A48FC8E9BAF0D21797098FED8289D7DEB0DEF449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:49.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F08E5D491DCC51718D6E4A834AFF5B,SHA256=4D1392A0873B28775CD787F9AEF268CF3EBC07BB667C26D1546EDDF94C126163,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000231172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:46.109{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000272023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F83-6127-8F00-00000000F201}4592764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.825{80A11F3A-4F83-6127-8F00-00000000F201}4592764C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000272016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F82-6127-8700-00000000F201}37444852C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000272015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.794{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.731{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000272013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.731{80A11F3A-4F82-6127-8700-00000000F201}37444032C:\Windows\System32\RuntimeBroker.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+621fb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aecda|C:\Windows\System32\combase.dll+a5aad|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65373|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000272012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45921376C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45921376C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.700{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0D00-00000000F201}9001148C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000271996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.669{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F83-6127-8F00-00000000F201}45924236C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F18-6127-1600-00000000F201}12961660C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.653{80A11F3A-4F18-6127-1600-00000000F201}12961340C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.637{80A11F3A-4F80-6127-8000-00000000F201}22044720C:\Windows\system32\csrss.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F27-6127-2700-00000000F201}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F15-6127-0500-00000000F201}412428C:\Windows\system32\csrss.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000271984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.622{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000271983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.633{80A11F3A-6A4D-6127-FC03-00000000F201}3424C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-4F81-6127-ECFA-070000000000}0x7faec2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{80A11F3A-4F17-6127-0C00-00000000F201}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000271982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.528{80A11F3A-4F27-6127-2900-00000000F201}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000271981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:46.706{80A11F3A-4F33-6127-6900-00000000F201}3796C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000231174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:50.936{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BF98809AB0CFBDF3756C068B675A1D,SHA256=ED6B3B7CA3AC4FB790EF4197BDA0FE5F548F1C577EDAD206B35D9ADB496C2AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45924824C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+61d7f|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+5e466|C:\Windows\System32\combase.dll+5dc1a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000272033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}4592208C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}4592208C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9200-00000000F201}4912C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45922548C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F83-6127-8F00-00000000F201}45922548C:\Windows\Explorer.EXE{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.794{80A11F3A-4F17-6127-0C00-00000000F201}8404556C:\Windows\system32\svchost.exe{80A11F3A-4F84-6127-9300-00000000F201}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599E0CD437E6EDFA1E5CA554A5809023,SHA256=C4648CDDE01D1D7BD5D335623DA3D9FBA65F72E765B79095DACDF33A5366B31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.762{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B473D6A428109CBF693C56DEBE42EA9B,SHA256=7CBCD7760A40E2C6298FE33EC6570D793E37229E470178C2FFFE27C2C530F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5980C7F3495F9DA8355752141426293D,SHA256=C1CCC0FD71628D8E8C846AE9E0A47E104621EA3ADDED0F1E1D4BDC843CEC6DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:50.262{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940B84F1F70C37DD305FDF6EEA8083D2,SHA256=FF56BDC80DC34D084E512FD03C6749B015FC7E05171901A75BCCDA24D5233BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:51.952{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16100F151B73FDDD32FD73BBD7AC7A9,SHA256=4465E8FFF66AAD79D54A2757767F4EE8834BCB244F0D60D0AA4591DD2276DA9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.622{80A11F3A-4F83-6127-8F00-00000000F201}45924108C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.606{80A11F3A-4F83-6127-8F00-00000000F201}45924856C:\Windows\Explorer.EXE{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:51.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C5C1C4D4BEAF242FFF3EE35B73B356,SHA256=FB6DF81041B3F0F4ED9D18BF45BF6049B9EC84DF466C73A6DD4037A35C7384F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000272036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:49.081{80A11F3A-4F27-6127-2900-00000000F201}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local58124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000231176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:52.967{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968DEAF0D79339BCF49904BBDA7E967B,SHA256=0279C40D7F66B9DD88720EC4789EC1332ACFE0A405E0860A14B4DF6A2094D090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.278{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CFF2FE7157C7D9C03599E29700E9DA,SHA256=95E7227AA2A78079F1015B8FD459145A6DDFFD50C2E7D396AF9D8DB01ED27B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.090{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ad2.bat@2021-08-26_101732MD5=D7C705A0BB5EF28941E08522824DE0CD,SHA256=E2D912BF40B6987F3E603687D625B94CE65831C2BC90D91F3031BE7C5B171125,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.075{80A11F3A-6A2C-6127-F803-00000000F201}1940C:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.bat2021-08-26 10:17:00.433 23542300x8000000000000000272045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:52.075{80A11F3A-6A2C-6127-F803-00000000F201}1940ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\ad2.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000272052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F17-6127-0C00-00000000F201}8402344C:\Windows\system32\svchost.exe{80A11F3A-4F15-6127-0B00-00000000F201}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.700{80A11F3A-4F15-6127-0B00-00000000F201}6322948C:\Windows\system32\lsass.exe{80A11F3A-4F15-6127-0A00-00000000F201}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000272049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:53.294{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83A33CF8FAE1D6CD992AD616388D141,SHA256=D2B07232EACA47A6DDBCBCDDDF0F8072157B26FD2E3EB4B09DEE64714E27896F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:53.999{D371C250-4F29-6127-6B00-00000000F301}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F508B4509F6D50712D2DD2C6AEF14FDA,SHA256=18170112BB77A032C676AD439913A1225D009543CD3988B39DB04632D334AD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=002D226D33D9D09A5868302A623690ED,SHA256=1702AA1AC68D40F661CC2CB89DB381A36C16ED9FEF9C28409324306A11B4A442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.745{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5A398EC051C01201E0ABED5DCB842AF,SHA256=B2A8E83D8D4A11429415A63572210B8882566125A7B04B09B9D83F95B07B1E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.421{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210826082203-112MD5=F664F39CA99FFE6D1B0CF04D1B303ADE,SHA256=25FBE84EB11AB9F0B9C035A6B4A79DA9DC762C884A765E4FDE7D33ED5F996BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:54.325{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765C467DADE0770AF073B085713D6CC6,SHA256=7B95EEC5DBF222F9A338822D269C65FA2C8F6865807D7523B061D4D72DCC3771,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000272068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.638{80A11F3A-4F83-6127-8F00-00000000F201}4592C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-08-26 10:17:55.623 23542300x8000000000000000272067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.434{80A11F3A-4F27-6127-2A00-00000000F201}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210826082200-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000272066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-26 10:17:55.339{80A11F3A-4F3B-6127-7200-00000000F201}4048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290BE14C75327150889DE2B421B11E4,SHA256=7261CDE49B989131F93F22A74B65BD3523178EBE959A45BE983C8B6F1B287576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000231206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F15-6127-0C00-00000000F301}7243932C:\Windows\system32\svchost.exe{D371C250-4F16-6127-1F00-00000000F301}356C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F14-6127-0500-00000000F301}4123344C:\Windows\system32\csrss.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000231195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.514{D371C250-4F16-6127-2100-00000000F301}11963544C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000231194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.515{D371C250-6A53-6127-C003-00000000F301}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-4F15-6127-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000231193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:52.094{D371C250-4F21-6127-6200-00000000F301}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000231192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:55.202{D371C250-6A52-6127-BF03-00000000F301}16922572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-4F16-6127-2100-00000000F301}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-26 10:17:54.999{D371C250-4F17-6127-2B00-00000000F301}28442864C:\Windows\system32\conhost.exe{D371C250-6A52-6127-BF03-00000000F301}